Information security has gotten a reputation as the “Department of No,” the place where new ideas go to die. This is especially problematic in a higher ed environment, where exploration is a central purpose. What if there were a way to protect our users, our systems, and our data without squelching innovation?
When your job requires “breaking the rules” of security
Security practitioners, on the whole, are very fond of lists of best practices that presume an ideal set of circumstances unlikely to be present in real-life university and college environments. There’s always that one machine that requires legacy software so that a specialized tool can be used, or the user who simply must be allowed to access things that make security folks want to scream in horror.
One of the most common pieces of security advice is “Don’t click on unsolicited or suspicious attachments.” But what if receiving unexpected files is actually a necessary part of what you do? Students as well as staff face this situation, and criminals are actively taking advantage of this necessity to spread their creations. Not to mention that expected files or links can still expose us to digital hazards such as macro virus infections or malvertisements.
Do what the malware analysts do
Rather than shut everyone down by fiat or throw up your hands in resignation, let us consider the example of malware analysts, whose job is to wade through a never-ending sea of files that are very likely to be harmful or malicious. And yet, malware analysts can do this safely.
While it might be an ego boost to say this is just because we’re such a professional and skillful bunch, the reality is that it’s also because we have tools in place that protect us from accidents and mistakes. It’s crucial to have understanding as well as effective layers of defense.