Increased security always needs to be weighed against the increased costs imposed on business in implementing a tighter security policy. Every additional check can add both time and a monetary cost to the security process. This is especially true when it comes to managing the flow of digital data in and out of an organization. Malware is constantly evolving, and with the exception of completely stopping all data flow into or out of a network it is next to impossible to fully eliminate the risk of infection.
There are different dimensions to defining an effective data security policy. Employees can be restricted from using specific types of devices, or have certain features, such as USB drives, disabled on their endpoint systems. The data itself can also be analyzed and cleaned, such as is possible with OPSWAT's MetaDefender product, where network security administrators can define separate security policies for different groups of users. Each group's security policy can be optimized for the best balance between reducing the risk of infection and facilitating each individual's daily work. The factors that need to be taken into account include the following.
- The likelihood that an individual is knowingly bringing malware into a secure area
- The likelihood that an individual is accidentally bringing malware into a secure area
- What type of files an individual needs to bring into a facility to do their job
- The cost of the time an individual needs to wait while their files are being checked for malware
On the other end of the spectrum would be the IT and security professionals whose job it is to maintain the security infrastructure and keep things running. These individuals are already highly vetted and are very proficient at reducing the threat of possible infection. They also will need to be bringing in software updates and security patches on a regular basis. An appropriate security policy for this group may be to scan all digital content with several antivirus engines, just to make sure they are not inadvertently bringing in malware with the files they need to do their work. For instance, the one extreme would be a sales rep visiting a secure facility. They are unlikely to be fully vetted before entering and there is a lot of uncertainty about the source of any digital files they bring in. In addition, they have no need to bring in any digital content other than their sales presentation. In this situation the appropriate policy may be to prevent them from bringing in any digital media or devices, and require that sales presentations are scanned and converted to a new format to remove embedded objects before being copied to a network location.
In between these extremes are other groups that need their own security policies. Average employees may need to bring documents back and forth between the office and work, and may be using company issued equipment outside of the secure internal network. In their case the appropriate policy may be to only allow in office documents (e.g. PowerPoint, Word, PDF, etc.) and block all other file types. Visiting vendor representatives, in addition to being restricted to specific document types, may also be required to have their files converted to safer file types, just to remove the potential threat of embedded objects.
The important lesson is that there is no one-size-fits-all security policy that can be applied to all users in all situations. Policies that are too restrictive for some and prevent them from doing their job would be too loose for others, and would unnecessarily expose a secure facility or network to risk. The best approach is to define a separate policy for each type of user so that risk is reduced without placing an undue cost on the business.
