The goal of security isn’t to say “no” to the end users, it’s to protect the business and the data – and through that, the end users, too.
Sometimes it’s hard to protect people from themselves. Businesses run on deadlines, and when someone gets this brilliant idea to make their job faster by not running the data through encryption, it seems to make sense. “Instead of using that slow secure transfer method to get the file to the vendor, we can use FTP (File Transfer Protocol), it’s so much faster!” Never mind that the data in question has PII (Personally Identifying Information) or even credit card numbers attached – the job got done in time for happy hour!
This is a painfully common occurrence, but how do we in the IT security department work around something like this?
The first step is that there needs to be basic controls in place. A very easy one is to make sure FTP is blocked on the perimeter firewall. Next, a clear DLP (Data Loss Protection) policy has to be established with a solution that makes sure all sensitive data is encrypted before being sent off. But none of these really address the issue, that of why the business needs this process to be faster. Learn this and figure out a way to help them speed up the process while keeping it secure and suddenly Security isn’t seen as a roadblock, but into a trusted partner with the business.
I believe this is a key step many security professions fail to grasp. A server that is turned off is the most secure there is, but it is of no help to the business. There is always a middle ground somewhere, work to find that.