Brainloop: Security Policy - Five Keys to User Compliance (White Paper)
WHITE PAP ER
Five Keys to User
IT managers have long suspected: users, as they naturally go about trying
Business users are a key part of a company’s
security, and even the most conscientious
employees can introduce serious breaches
of security policy. IT can do everything
in its power to secure the company’s
conﬁdential documents — provide ﬁrst-class
IT too often is portrayed as the security heavy, forced to try to halt such
security infrastructure, develop reasonable
security policies and engage in extensive security. Feeling these steps hinder their productivity, users go to great
communication and training — yet still lengths to avoid or circumvent even the most reasonable security measures,
people fail to comply. The solution is to
provide security that helps people do their
jobs more efﬁciently, thereby inducing users It is hard to blame the users; they are just trying to get their jobs done as
to follow best security practices without
even knowing it.
people fail to comply. What more can IT do?
The solution is to provide security without making it difﬁcult for users to
do their jobs. For example, if IT can offer easy group collaboration within a
transparently secure setting, or eliminate the need for users to send sensitive
documents by email, users can be as productive as ever, or even more so.
And since the environment is inherently secure, users are following best
security practices without even knowing it.
In the paper that follows, you will ﬁnd ﬁve ways IT can facilitate user productivity
while automatically ensuring safe security practices. In each case, users are
unhindered by security procedures, yet their work is conducted in a
transparently secure environment. Even better, the environment actually
streamlines processes and improves efﬁciency, leading users to make it their
preferred work environment.
Evade and Ignore Security, Ponemon Institute, June 10, 2009
White Paper – Security Policy
In some cases, such as those involving negotiations [see #3 below], the
secure environment actually gives workers a distinct advantage.
And as people experience the advantages of working within such an
environment, advantages like increased efﬁciency or negotiation leverage,
they readily return to make use of these advantages. Suddenly, IT no
longer needs to force compliance with document security procedures.
Users willingly comply, often without even realizing it.
The following table illustrates unsafe behaviors resulting from human
factors that can be reduced or eliminated through a transparently secure
environment, which also makes work easier or more efﬁcient for the users.
In all the cases above, security is built into the online environment
of a security issue.
Business Practice Mitigation Strategy
People often use email where delivery A central document repository
isn’t assured or can be intercepted eliminates the need to send
1 Group collaboration on doc- unsecured emails
uments, presentations, analysis Easy to accidentally send to the
wrong person with a similar name No need for multiple versions
distributed among group members
Unauthorized forwarding of Put usage restrictions on documents:
documents disable printing or forwarding
2 Project collaboration Never sure who has seen the material Share large ﬁles
with vendors, contractors, Ensure all have the most recent version
Track receipt and viewing
Difﬁcult to prevent documents from Due diligence documentation in the
3 Conﬁdential bidding being leaked to unauthorized parties secure environment is protected
and negotiation Difﬁcult to gauge interest level Able to see which bidders have read
the documentation most thoroughly
Users take ﬁles home or with them on a Safe, convenient remote access to
USB, running the risk of loss of the USB centrally stored and secured ﬁles
4 Traveling or multi-location and its contents No need to copy ﬁles to USB or synch
May require use of a cumbersome VPN to laptop
Need to continually synch systems
Documents are at risk during distribution Secure access to all documents
by email or as paper documents via delivery Enables conﬁdential online voting
5 Boardroom minutes / services
Sensitive communications Eliminates risk and expense of courier
No effective decision-making structures
outside of scheduled meetings
White Paper – Security Policy
The business advantages of a transparently secure work space quickly
Increased productivity through easy group collaboration that removes version
Improved security and productivity through the elimination of email mix ups and
crossed, delayed, and lost messages, which not only reduces business risk but also
cuts down the amount of email ﬂooding into users’ mailboxes that must be managed
Improved communication in collaboration and bidding processes through the
identiﬁcation of which documents have been accessed and by whom, spotlighting
the most interested parties and pinpointing uncompleted tasks
Increased mobile efﬁciency by avoiding the tedious chore of synching documents
between desktop, laptops, and mobile devices when traveling since all the data is
available via the Internet anytime in the secure work space
Improved governance efﬁciency by creating an audit trail of accesses and changes
to documents that address corporate policy or are required for regulatory
Reduced need for costly, time-consuming, and inconvenient travel and shipping
From the IT perspective, the deployment of a secure work space eliminates the
need to enforce heavy-handed security policies on reluctant users. Instead, the policies
are enforced transparently and automatically, resulting in better security while
reducing tension between IT and users.
For everyone — IT, users, and the business — it becomes a win-win-win situation.
IT doesn’t have to play the security heavy, users don’t feel burdened but actually
feel more productive, and the business gets better security and increased productivity.
Appendix: Brainloop Secure Dataroom
users inside and outside your company. Top encryption, sophisticated security
documents and enabling document sharing and collaboration among authorized
unauthorized users. Frequent uses include contract negotiations, project