Data is King, but Security is Emperor

The digital world is constantly evolving. A truism which can open it up to continued attacks from hackers with data loss being a potential consequence. It stands to reason, then, that enterprises must be highly vigilant if they’re to protect one of their biggest assets: information. Understanding the problem isn’t that difficult, but guarding sensitive data can be. Mark Edge searches for some possible solutions

Realising an effective information security strategy that works for your organisation isn’t simply about bolting down all of the data floating within and outside of your company and constructing ramparts in the shape of a firewall. It might shock you to know that over the last 12 months one of the biggest escape holes for security breaches has been via employees inside the firewall and, indeed, former employees of companies. That being so, securing applications and hardware is only part of the equation.

Frankly, today’s enterprises need to change their collective mindset. They need to put information security ahead of infrastructure security and better safeguard valuable information without putting in place harsh security policies that are impractical and unreasonable for employees and partners alike.

Enterprises have instinctively gone for the ‘pin it all down’ approach. They screen hardware and systems from malware, viruses and other cyber threats and then look to protect applications and data running on these systems that support everyday operations. On the surface, at least, this looks like a workable strategy. Scratch the surface, though, and you will see that protecting the huge amounts of data enterprises generate on a daily basis is both unnecessary and almost impossible.

The first question to ask is: ‘How valuable is all of this information?’ Of course there will be data such as customer records and financial information that must never be compromised. Leaks don’t happen when information is held in secure databases. They happen when that data is exported out of its safe environment.

In addition, there will be ‘raw’ data floating around – such as business forecasts and new business proposals – that may be valuable when analysed. Often, the intelligence from this data isn’t stored on one secure system. Going about their daily business, whether unintentionally or maliciously employees are happily sharing information both inside and outside of the enterprise and often in an unprotected fashion. This is data the enterprise has spent time and money protecting from external attack only for it to be leaked from within. Now it becomes abundantly clear why protecting information and not just infrastructure is so important.

The firewall, anti-virus and malware applications and encrypted fibre networks are all useless in this scenario. Somewhat akin to fitting a burglar alarm on your home and then going out only to leave the key in the door.

Implementing a security policy

Don’t be under the illusion that compliance with legislative and regulatory requirements and internal company security policies will be your saviour. Let me tell you they will not.

It’s true that some of these policies are mandatory in business today, but compliance with legislation and policies written to improve security are often not sufficient for addressing ever-growing cyber threats.

You also need to make sure your own house is in order when it comes to your security policy and ensure it’s regularly updated. Over-complicating that policy and filling it with jargon will only serve to leave employees baffled. They will likely not put it into practice.

It’s estimated that around 70% of enterprises suffering from employee-related security breaches are in this position because of poorly understood security policies. Make your policy a simple one that’s easy to comprehend.

It may surprise you to learn that some enterprises find it difficult to implement one security policy and have countless versions in play at any one time. It makes sense to have a central place for all company policies. Have one security policy that has an owner and is constantly reviewed and updated. Going forward, such a unified approach will make the system both accountable and measurable.

If new business requirements come into play then review your security policy immediately. Don’t leave doing so until the due review date. With the arrival of BYOD (Bring Your Own Device), for example, some enterprises have yet to update their security policies. By not including this trend there’s no doubt companies are leaving their information highly exposed.

Creating a workable security policy that’s adhered to and understood across the enterprise truly goes a long way towards creating a robust security program and is a process that should never be skimped on either in terms of time taken during formulation or budget expended thereafter.

Information before infrastructure

Information is at the epicentre of invasion risk from such challenges as the Advanced Persistent Threat so businesses must place it at the very forefront of their security strategies.

Where sensitive and confidential information is being shared both inside and outside the enterprise, the IT Department must introduce a user interface that’s intuitive and highly functional yet provides the utmost control. With the right tools and a secure environment in place, members of staff can continue to do their jobs on an uninterrupted basis.

Remember that security is ubiquitous. Training on the dangers of carrying and sharing valuable and confidential information will increase awareness of security measures across the enterprise. Also keep in mind that minimising any responsibility for users to change their behaviour is pivotal in implementing a successful security policy.

Employees can also provide a high degree of security protection if they receive training that’s easy to comprehend. Employees are never going to wade through a 70-page security policy so think outside of the box.

Of late, some companies have adopted a games-style interface to security training by way of ensuring employees understand their security policies. Don’t forget that employees are vital in terms of the business’ security defence. They need to be able to recognise possible security threats and risky situations and know how to react quickly (and to whom they should report the detail).

IT professionals do understand the importance of a workable security policy and employee training, but all-too-often they’re forced to cut corners when it comes to policy development. To effectively protect your enterprise’s information, the IT and security professionals within must be given adequate time to create a policy, regularly update it and provide simple and easy-to-understand guidelines and training for employees.

To be frank, the mantra should always be: ‘Make it simple, make it workable’.

Don’t enter ‘Panic Mode’

The biggest mistake enterprises make when it comes to briefing IT professionals on a security policy is going into panic mode and demanding all information be locked down.

In fact, as the starting point leadership should be asking what information actually needs the most protection.

Initial focus should be on high-risk information which needs defending in the first instance. This is the initial stake in the ground when it comes to risk-driven security approaches to security and data protection policies in any enterprise.

Yes, external stakeholders can be a risk, but your biggest danger comes from within. Enterprises should look at key areas such as access and privacy controls and imbue security and compliance polices from the inside of the organisation out. If guarded with rigour then your defences will be that much stronger.

By failing to address risks posed by internal employees, any organisation is simply leaving the door wide open to entirely preventable breaches and data loss. Host organisations ignore this advice at their peril.

Data and information is King, but how you protect it is Emperor.

Mark Edge is Country Manager (UK) at Brainloop

 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts