The challenge of protecting multiple and increasingly disparate end user environments

Most organisations have many different end user environments, often across physical locations and comprising individuals who use a wide-range of technologies to handle information. These disparate end user environments are subject to factors such as diverse cultures and different operating conditions that make managing information security extremely difficult. This problem is further compounded by the variety of corporate-issued and personally-owned devices and a blurring of the boundaries between work and personal computing. Furthermore, new Generation Y employees entering the workplace typically want to configure their own user environments, installing personal software such as applications for social networking, instant messaging, peer-to-peer networking and VoIP.According to the Information Security Forum (ISF), new social networking technologies, mobile devices and a more flexible and tech-savvy workforce are leading to increasingly complex and diverse end user environments with many greater security challenges. In its recent research, the ISF also found that vast differences in the knowledge, behaviour and actions of end users create further security risks; and believes organisations need to empower employees to take more personal responsibility for protecting critical and confidential information.“Greater business and personal use of computing and communications and in particular, social networking websites are creating a major headache for information security professionals,” said Mark Chaplin, senior research consultant at the ISF. “Either deliberately or unwittingly, it is all too easy for end users to share confidential information with unauthorised individuals or corrupt critical information needed to support key business processes. Organisations need to recognise that the information security function cannot provide all the protection necessary without a complete lock down. Instead, much of the responsibility lies in the end user environment where more focus needs to be placed on education and awareness to create a culture where employees are empowered to protect corporate information as well as their own personal data.”"Another significant but often overlooked issue in the end user environment involves the widespread development and use of spreadsheets and desktop database programmes by end users to create their own applications,” adds Chaplin. “In many cases these types of application are developed in an ad hoc manner, often outside of corporate control and are poorly protected. This can introduce significant risks when organisations become dependent on them (e.g. to support financial transactions or a manufacturing process) and they fail, for example, as a result of coding errors."In many cases it is not feasible, economical or practical to provide total protection for multiple end user environments. However, the ISF report entitled, ‘Protecting information in the end user environment' – draws on the views and experiences of its members, some 300 of the world's leading companies and public sector bodies – to identify the areas of greatest risk and present practical recommendations."The first step is to understand the broad range of security challenges associated with end user environments in an organisation,," says the ISF's Mark Chaplin, “It is not unusual for management, including senior executives, to be unaware of the value of information that employees have access to and use; the threats this information is exposed to when not adequately protected; and the potential business impact if this information is compromised in the end user environment.” Once the challenges are understood, organisations need to apply a balanced approach to protecting information in the end user environment. This involves establishing a security-positive culture; focussing on the organisation's critical and confidential information; protecting equipment and applications, including those created using spreadsheets or equivalent; restricting connectivity; and addressing the physical security of the end user environment.The ISF briefing report on protecting information in the end user environment is available to ISF members.

Access Control  Authentication  Data Management  Data Security  Digital Signatures  Email Security  Identity Management  Internet Security  Intrusion Prevention  Network Security  Remote access security  Security Management  Security Policies  Security Software  Security Threats  Virus Detection Software  Virus Protection  VPN  Vulnerability Assessment  Wireless Security