Blog / Proactive or Reactive Security: Red vs Blue
If you look at Computer Security, most small and medium-sized organizations are basically doing the exact same thing: They install a Security suite of software on their computers that includes Malware detection and maybe a few other features. They also put in a firewall to protect them from the Internet. The firewall usually has some form of Virus detection, as well as Intrusion Protection of some sort, along with some other elements.
That pretty much sums up their entire defensive strategy.
When you compare this sort of defense to something that larger outfits have (I.E.: a “proper” defensive strategy), a couple of things become very clear:
1) In-depth Computer Security knowledge and skills are rare
2) Those skills are in demand and expensive
It seems that the very nature of the situation puts smaller organizations at a disadvantage. To a large extent, it does. This got me thinking about ways that smaller outfits could attempt to make up for this. Something to remember is that not everything scales well. What works on a small scale will eventually break down, when you apply it on something larger. This is true for everything from your organization, to your management structure, to your method of communication (in a small company it’s easy to talk to the CEO, because he sits right over there; in a large company … not so much.)
For smaller groupings what could work is getting your users involved in the whole “Computer Security issue.” Encourage them to play around with the software and try to do things they are not normally supposed to. Let them know that doing this is OK, so long as they pay attention to what they did AND tell their superiors when something unexpected happens or attain an action they should not be able to.
What this does is essentially turn all your staff into penetration testers. Normally, the only time you hear from your staff about computer-related issues, is when they cannot do something they should be able to. You almost never hear about the times when they can do something that they should not.
The idea is that you need to ensure your staff is aware of what is “normal” for them to be able to do with their computers. Then make sure they also know who to report things to if anything “outside the norm” occurs. Also, harbour the attitude that just because something unusual happened, it does not mean it is their fault. Honestly, a lot of problematic situations that occur, happen because the Security settings on the computers are lax. If that is the root cause, then the fault ultimately lies with the organization.
The problem with waiting for things to go wrong before making changes, is it does nothing to avoid trouble from taking place. You can learn a lot and make alterations to keep it from happening again, but it does nothing to prevent it the first time. Engaging your staff to actively attempt to seek out issues and such, is a way to stave-off complications. Rather than using one approach or the other, use both.
If you have any questions about Encouraging User Participation, please reach out to your TRINUS Account Manager for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.