How do you ensure information security in an uncontrollable environment?

How do you ensure information security in an uncontrollable environment? Years ago, information security was equated with information control and control of access was the principal goal of most IT organizations.  From my perspective, while there was a heavy emphasis on Access control and Auditing, Authentication was thought of as usernames and passwords only.  Today, most institutions don’t have control of their user hardware environments and with cloud services and outsourcing, are losing control of their server environments. But is control really security?  If it is, do you have security if you lose control? While every institution must follow any legal or professional information security mandates and best practices (patching\AV\physical restrictions etc), rearranging your security posture can change the equation and make security more manageable.  Consider the following suggestions to reduce the noise and change your IT attack profile.

Make passwords long, unique and complex but stop making people change them constantly.

People hate being forced to change passwords.  Passwords are a fact of life and they will be a cornerstone of everyday IT management for decades to come. Long and complex passwords reduce the chance that users will have the same one for work that they do for their personal life.  In reality, most people use the same password for everything no matter what security people tell them.  A long, hard to crack password that people actually know is arguably more secure than PASSWORD123.  A good solution to this conundrum is a Passphrase instead of a password.  The best is 2 factor authentication.

Monitor your systems

Utilize and external monitoring system to keeps tabs on system performance and status.  This allows you to respond more quickly if you do have an incident and critically, gives you an offsite set of data\logs that can be used in the aftermath or for auditing purposes.  A systems monitor solution shifts the burden of watching systems off of IT staff so they can focus on other projects (like the ones in this post) and allows you to be proactive instead of reactive to system health.

Configure a guest network for Wireless Access

Visitors, guests and temporary workers should not have access to your network.  Period. Allowing guests on your wireless bypasses all your authentication and access planning.  Setup a guest network that has only internet access, ensure it has a password, is encrypted and kick users off after some predetermined amount of time.  If they need more access than that, they should go through some sort of onboarding and institutional vetting.  Solutions like Sharepoint file sharing and One Drive can allow collaboration without direct file server access.

Segregate your high priority data

This is a difficult step but is very helpful.  Would you leave all your valuables scattered around your house during a large gathering or would you segregate them, putting them in a safe or special place?  Treat information the same way.  All the files that a temp is using for a marketing mailing are probably not as important as the bank account numbers stored by the CFO.  Consider physically keeping critical data on a dedicated infrastructure (servers\network) that can be more carefully monitored and maintained.