Subscribe
  • Home
  • /
  • TechForum
  • /
  • Closing gaps in information security goes way beyond technology

Closing gaps in information security goes way beyond technology

Companies must have a comprehensive risk management strategy that starts at executive level, says John Mc Loughlin, MD of J2 Software.


Johannesburg, 17 Jul 2013

Mitigating the risks caused by breaches to company information is not only based on compliance and the use of security technology and software programs; it's largely an issue of understanding your business and motivating staff buy-in. This is the opinion of J2 Software's managing director, John Mc Loughlin, who advises on prevention strategies, including embedding a culture dedicated to protecting the intellectual capital of organisations.

A number of high-profile security breaches around the world have pointed to how costly and devastating this can be to a business and its reputational management. Developing countries are particularly vulnerable with the rapid spread of Internet connectivity and accessibility. Individuals and organisations without watertight security measures in place can fall prey to increasingly sophisticated strategies to get users to part with sensitive information.

"It is a critical that your users are the first line of defence and are highly motivated to become the guardians of an organisation's information," says Mc Loughlin. "It is virtually impossible to plug every hole as the protection of information would become a never-ending task. Yet a reactive response to specific incidences of security breaches as they arise is also counter-productive."

He is a firm proponent of a comprehensive management risk strategy that starts at executive level. "Companies should put the same emphasis on information security as they place on health and safety. Today's competitive information-driven economy that often relies on quick implementation of business opportunities makes ICT governance, risk and compliance (GRC) utterly essential and should be part of a company's DNA from board level through to all departments and functions for sustainable growth. New laws and governance codes should be seen as an opportunity to increase your competitive advantage and not as an inhibiting factor.

"Ticking boxes to comply with regulations won't protect your business. You can't implement a strategy if you don't understand how information flows in your business and the risks associated with outsourcing. The information architecture blueprint and its evolution need to be continually shared with staff using a number of visible and high impact communication tools. These include trained facilitators, security road shows, computer-based training, visual reminders such as screen-savers, annual security weeks, workshops and live simulations.

Staff should also not be censored for revealing errors, but encouraged with recognition for spotting internal and external threats and implementing security measures. An understanding that user mistakes are considered an opportunity to learn is a good place to start and encourages proactive monitoring and enforcement," he says.

Experience has shown him that non-compliance is often not malicious, but rather a factor of human error and a lack of in-house expertise. Another factor is compliance fatigue from ever-changing legislation and cost-avoidance.

A baseline audit is useful as a compliance assessment exercise to motivate the board and senior executives in an effort to gain their understanding and support for backing security measures and any additional funding that may be required.

"Computer-based solutions and ongoing training are the most powerful methods of instilling staff awareness and ensuring adherence to policies. Condensing lengthy policy documents and audit reports into practical solutions should be driven by the IT department, with support from HR, so as to be dynamic and easy to implement. Automated electronic tools, and ongoing awareness integrated across all departments, help combat new threats that result from changes to the business and increasing external threats.

Information and documents moving between departments can mean that the confidentiality and protection of this information is compromised so it is essential that an organisation instils a general understanding that it's everyone's responsibility to protect the intellectual property of the business, no matter how insignificant it may seem.

"All of these factors must be taken into account when considering the implementation of a long term governance, risk and compliance strategy," Mc Loughlin concludes.

Share

J2 Software

With global markets in a state of constant flux and companies looking for innovative ways to ensure their survival, more companies are resorting to protecting their market share and optimising their internal resources at all costs. J2 Software has been at the forefront of helping companies achieve these goals by providing effective and easy-to-manage data security and policy enforcement solutions.

J2 Software provides solutions and services that allow its customers to leverage technology to reduce risk, improve compliance, cut costs and keep control. The company offers its clients complete peace of mind through the cost-effective delivery of world-beating policy enforcement and compliance solutions, communication cost allocation, data security, encryption and PC protection tools and services.

The company has implemented solutions in South Africa, Angola, Botswana, Kenya, Malawi, Mauritius, Mozambique, Tanzania, Uganda and Zambia.

J2 Software represents SystemSkan, Mimecast, Zscaler, SentryBay, Aspivia, Secude, Avira and Flickswitch.

Editorial contacts

Mia Andric
Exposure
mia@exposureunlimited.net