IT Security: 10 Steps That Can Save You Money and Your Reputation

Paul Kenyon (Profile)
Friday, September 14th 2012

Every organisation faces one challenge to their IT security position – the user. It doesn’t matter how much security training and advice a person is given - if they want, and can, do something then they will. Unfortunately, a user with admin rights – wittingly or unwittingly – is akin to a loose cannon. You just don’t know when or where they’re going to strike, and the results can be devastating. And once a problem occurs it all too often turns into a downward spiral that can bring down your reputation and your business.

Here I outline 10 logical reasons why every organisation should develop a policy of least privilege.

Reason 1: Minimise Risk

In a business environment you really need security decisions to be made by IT, governed by business requirements, when it comes to the desktop. Many users don’t understand the implications of configuration changes, such as files within the Windows folder and protected parts of the registry. If these are altered – either accidentally or maliciously, it can make the system unstable and increases the risk of data leakage.

Simply, if IT doesn’t know what applications and changes users have made or installed, then they can’t be sure that sensitive data isn’t being redirected into the hands of an unknown third party.

Reason 2:  Improve End-User Experience

Security is often seen as preventing users from doing something, but that doesn’t have to be the case. Instead, by adopting a well planned and implemented least privilege policy, you can actually improve the user experience.

Following the example of devices like the iPad and Android Smartphones, which operate in a curated environment, organisations can catalogue a portfolio of programs and applications that are needed, and can be supported. Doing so will help track changes to the system and keep the core system configuration secure.

When users make system-level changes, they can weaken the endpoint or introduce application clashes which can have serious consequences. It also makes it harder to support the enterprise as, if a problem does crop up, IT often get a nasty surprise.

Reason 3 : Move to a Managed Environment

By locking down machines, so that users can only change their desktop configuration and not the core system, you can save time and money – by reducing support costs, lost productivity from network downtime, and the expense of data breach management.

However, to make sure that this facilitates and not hinders the enterprise, thought needs to be given to how the environment will be managed moving forwards. Software distribution, and patch management, at the simplest level could be through Group Policy Software Installation or perhaps System Centre Configuration Manager.

Reason 4: Reduce Support Costs

It’s a fact that secure and managed systems are cheaper to support. This turns security from an initial expense into an enabler.

Reason 5: Encourage Users to Have Fewer Devices

More devices introduce complexity resulting in higher costs. Unfortunately, users needs don’t always match business needs so proper justification for using a device – especially if it’s personally owned, must be demonstrated. If you offer a company car you wouldn’t expect to supply a VW Golf for the week and a Porsche for the weekends!

Even if it makes the employee’s life easier - if it’s going to be too expensive for IT to support, then it’s impractical and needs to be deterred. Where a device is to be allowed then it must comply with company policy and a clear strategy of who is responsible for support developed.