Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

The folly of running IT security technology without a policy

21 September, 2007
However obvious it may seem that beating identity thieves, hackers and other cyber-criminals can't be achieved entirely through technology alone, the IT security vendors would have us believe that there remains a very large number of companiestest that have all the bells and whistles in place to protect their information assets but don't have an adequate policy to reinforce it.
Take the simple misdemeanour of accessing inappropriate web-sites at the office as an example. Its hard to believe that anyone who knows that their activities are being monitored would risk their jobs by visiting disallowed web pages and yet three Welsh council workers have just lost their jobs for spending their working hours on eBay. OK, we now know that Port Talbot council workers shouldn't use eBay at work but what about Auto Trader, Amazon or Friends Re-united? Can they look for their dream car, buy a book or look up an old pal during their coffee breaks? Without a policy, nobody knows.

The same argument extends to other areas that are more critical than listing a set of allowable domains. Data walks out of corporate doors every day on flash memory and in some cases, technology may be in place to prevent this but if it isn't, then what can you take home with you and given that you can't realistically encrypt everything, what should be encrypted and what shouldn't? - This is a matter of policy, not technology.

The majority of corporate employees don't have any malicious intent towards their companies and a large number of potential data breaches are caused by people who don't know that they're doing anything wrong.

Car drivers know that ignorance of the law is not a defence so they can't say that they didn't know about the speed limit. Its in the highway code which, incidentally, is a pretty good policy model.
Bookmark and Share