When teams don’t talk, hackers win

A new set of surveys by Webroot and conducted by Harris Interactive discovered a serious disconnect between employees and IT departments when it comes to Bring Your Own Device (BYOD) security. That disconnect comes down to a lack of communication between the mobile device users and the IT staff charged with enforcing policies. Users are uncomfortable adding mandatory security controls because they worry their privacy will be invaded, but IT is not only doing a poor job of requiring security applications be installed, it is also not doing much at all to prevent unsecured devices from accessing the network. As a result, BYOD security is weakened, putting company data at risk.

BYOD isn’t the only area where there is a security disconnect. It happens across all platforms and technologies. IT departments don’t communicate with the rest of the employee base regarding security concerns. If the company has an actual security team, it may run a separate operation from IT, and there is another opportunity for a communication breakdown. When the IT team isn’t collaborating with each other, with security or with employees, hackers can take advantage of the miscommunication and attack.

The primary reason for this communication breakdown is simple, says Clayton Knorr, senior security analyst and consultant at Nuspire Networks, a managed network security service provider. “People in business often see security as something that will delay projects and limit their options. This can be the case even in the best of circumstances, and will be much worse if the security team has a reputation for stonewalling ideas and slowing down projects. Other departments will try to avoid interacting with the security team altogether if they can.”

Knorr adds that there is an additional element causing tension between IT and security staff: IT departments may be reluctant to reveal security issues to security staff. “Reasons for this may be they know the solution to the problem will be challenging to implement, and could create pain for the users, or disrupt day-to-day operations. They may also fear that revealing the issues will bring up questions about why the solution was so poorly designed in the first place and who is responsible.”

Hackers end up being the beneficiary because this lack of collaboration can lead to security holes and violations of security policy. “If we are overly concerned about patching a vulnerable, critical system due to its age and stability concerns, yet there are multiple known and active threats, we’ve permitted a high amount of risk to exist in our environment,” says Luke Klink, security program strategist with Rook Security.

“Mal-intent individuals have no concern about the stability and operational effectiveness of a system, as long as they can get in and out with the data they desire,” Klink adds. “Teams need to collaborate to develop IT and security strategies that align to the overall business objectives of the company, while at the same time maintaining an operationally-sound and secure environment.”

Good communication between departments is a universal challenge in the business world. However, in the case of improving network security, improved collaboration becomes an added layer of protection – and comes at no cost. If all of the teams are aware of the mission, the risk, and the environment, everyone can look out for abnormal events and behavior regardless of significance, according to Morey Haber, senior director, program management with BeyondTrust. This empowers everyone to be the security eyes and ears for the company, even though they are not empowered to make security decisions.

Collaboration has to come from the top down, says Haber. “If management can convey a good plan to all departments that balances operational objectives and security requirements, then each department can contribute positively to the overall security plan. If the teams operate in completely different silos, getting them to share and collaborate does not promote any defined goals and generally fails.”

More than just an additional layer of security, good communication is essential to a good and complete security posture, Knorr adds. “Hackers will always try the path of least resistance. It is the old analogy of bolting the front door while there is a wide-open window to crawl through. A security posture has to be comprehensive in order to be effective, which is why good collaboration and communication is indispensable.”

Post by Sue Poremba

Sue Poremba is a security and technology writer based in central Pennsylvania.