Security measures that slow down IT performance prompt users to seek out short cuts that leave companies vulnerable toattack.
Peter Sandilands, regional director of VPN and firewall vendor, Check Point Software Technologies, said an overlookedthreat to information security is frustrated users working around security measures they believe impact their abilityto complete a task.
Business users are demanding IT systems that can crunch more data, from more sources, quickly, Sandilands said"However, too many e-security policies and technologies have failed to keep up with this trend, and are inhibitinguser performance," he said.
"If users need to get information in a timely fashion, they go home and download the information, and maybe suck downa virus in the meantime and take it back to work," he said.
"It's like having an armed guard at reception and all the doors locked and issuing all the staff passes, only to havesomeone prop open a door with a phonebook. A lot of people will take advantage of the open door."
Simon Hackett, managing director of Internode, agreed a common occurrence is the worker who takes home a laptop anddials into the local ISP, then returns to the office unknowingly armed with a virus on the laptop.
"This is what happened with Nimda," he said.
Sandilands said the problem is in a company's security policies.
"At its most basic level, security is a prevention tool designed to stop things from happening. But IT is a technologythat allows thing to happen, information to become available, communications to open," he said. "Companies need toswitch to security as an enabling tool not a prevention tool. Instead of putting in place a slap dash security policy,companies need to think carefully about how to help users work, not prevent them from working."
"A lot of companies brag about how fast their firewalls are, but if your link to the Net is slow in the first place,users will still get around security measures. Companies need to focus on architecture and look at its capabilities,"Sandilands said.
Security measures should not just be an add-on, but need to be integral part of IT strategy and needs to be carefullyplanned.
"Enterprises that design networks, and then add security devices create additional hops, thereby creatingbottlenecks," Sandilands said.
Hackett agreed, "It's a question of policy. Rather than just whacking up a firewall, companies need to tell theirstaff what the rules are and what the firewalls are there for. Otherwise it becomes a game and the staff play it. If afirewall seems to stop a user getting the job done, they'll go around it. Security measures are secondary, but policyis primary."