Heartbleed, iCloud, Sony: three words that should send a cold shiver down the spine of any CIO. After last year's constant stream of high-profile data breaches, many organisations are casting a wary eye at their enterprise security, says Scott Carver, Business Development Manager of Information Security at Aptronics.
Unfortunately, keeping your security current in the face of ever-changing threats can seem like a losing battle. As technologies evolve, so does the complexity of an organisation's enterprise security needs. The firewalls and password protections of yesteryear just won't cut it anymore in the face of trends such as cloud computing, virtualisation of services, and the increasingly globalised nature of business.
Implementing the latest and most expensive security software on the market will not solve these challenges. There is no one-size-fits-all solution. Organisations first need to understand the IT landscape they operate in and how it impacts their business requirements.
In order to effectively evaluate your security landscape, you need to have something tangible against which to measure it, be it business processes, types of information flow and value chains. Companies should engage in a step-by-step process of defining the needs and risks of their organisation, ideally at the implementation and development phase of their IT infrastructure.
Perhaps the most important risk factor your business needs to consider is the people who engage with your processes. Research consistently shows the majority of security breaches can be attributed to human error, withsome surveysplacing the number as high as 94%.
Companies need to define user policies to account for vulnerabilities in the security network. As BYOD becomes standard, organisations are facing multiple vectors for attack and must account more than ever for physical exploits.
Banning users from bringing their own devices is simply not feasible. Rather, companies must implement mobile device management (MDM) practices that addresses access to information and physical security. Unfortunately, MDM can be highly disruptive and often leads to unhappy staff who feel as if their privacy is being infringed upon.
MDM must be accompanied by education. Organisations must carefully make users aware of the personal privacy risks they might face and how to minimise them. These educational initiatives should outline not only what the policies are but also why they are in place. Ultimately, end-users must understand the impact that their informational access could have their organisation's larger business goals.
Personalisation is important here. It is important not to frame the conversation around risk management policies in a way that introduces fear and doubt, but in a way that constructively engages employees.
It's important to remember that an organisation can never fully eliminate security risks. Just as a driver can never fully mitigate the possibility that they might get in an accident, there is always a risk of a security breach in IT. However, building a strong security strategy and promoting awareness to users is one of the greatest weapons organisations have in facing the never-ending tide of security threats.
Share