Social networks have moved beyond a teen fad, they have emerged as valuable business tools for the modern enterprise, comprising rich applications with real-time interaction and user-generated content.
Local IT security expert and managing director of J2 Software, John Mc Loughlin, has warned companies to act quickly and protect their information assets and the privacy of their electronic identity.
It has caused internal information security breaches to escalate to an unprecedented level. With more than a billion active people on social networks around the world, it is crucial for companies to realise the importance of ensuring their information is protected and their risk is minimised.
Unfortunately, each opportunity comes with its own unique problems. Regardless of the technologies and software solutions that organisations deploy to mitigate the risk of information security breaches, the critical factor is always people. Internal staff remains the most feared information security risk.
Mc Loughlin says the only solution is to build information security into the DNA of the organisation and its employees. "Make your people the guardians of your information. Working with both large and small organisations, it has become evident that only a relatively small number of people are maliciously or intentionally non-compliant with a company`s IT security policy. In the majority of cases it is found that non-compliance results from unintentional ignorance, often fuelled by unsupervised or misguided use of computers."
Building information security into the DNA of any organisation is the key to achieving compliance and mitigating risk, but it also presents the biggest challenge, especially for large and complex organisations. Even in organisations where other aspects of security are paramount, eg, national security in defence environments, the internal regulation of information security policies can prove to be more difficult to enforce.
He says work still needs to be done at board level to change the perception that compliance costs money. "They have the attitude of: `If nothing has happened, why buy more protection?` It is critical that the buy-in process starts at board level and then progresses down to the general employee level. Achieving this is not easy and the challenges differ according to the level of maturity of the organisation."
Organisations need to be proactive in their approach to security and there must be a balance between business risk, business operations and business competitiveness. Large organisations are usually divided into departments with associated responsibilities that never `talk` to each other. These silos foster poor communication, as is often the case between the IT department and the board, the audit department and senior management.
Consequently, compliance is often viewed from two or even three opposing perspectives, with each party failing to see the other`s point of view, or to be able to effectively communicate risk and consequences. An important factor is the different language and terminology used by the IT and finance departments, which may not be clearly understood by those who need to know.
There are also examples where risk has been communicated, but has been purposely ignored when it is financially advantageous to do so. In these cases, the audit department `red flags` certain suspicious activity to management but is somehow ignored. Reluctance to escalate a known irregularity is highly likely if the irregularity is generating large sums of money.
"Risks arise when a company has multiple external providers and none of them meet the same standards of internal compliance and risk assessment, often because they do not face the same regulatory pressure. This is when trust has to play an important role and the associated risk may be high. Balancing risk and compliance when a large percentage of people working on a project or deal are external, or where aspects of the business are globally outsourced can be problematic," he explains.
"With all these challenges, how do they build information security and compliance into the DNA of an organisation? There is a simple answer, it will take some time, effort and commitment from everyone, but for total success - the entire initiative must be led from the top."
Driving down the cost of compliance is not only the key to competitive advantage, but also to compliance being taken seriously and becoming part of a cost-effective executive risk management strategy. If compliance is too time-consuming and complex it will be ignored or short cuts will be taken.
Compliance must be turned into competitive advantage, whereby the opportunity cost of being compliant is vastly reduced. In order to help achieve this, compliance roles should not be separate, but should be seen as business enablers, integrating the compliance needs of audit and IT and communicating this at a board level.
When information security is embedded into an organisation`s DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation`s DNA.
Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff.
Preventing staff from accessing social networks is no longer an option, company executives merely have to apply sound security measures to ensure their information is protected and costs are controlled. It is critical for all companies to create the correct environment where all staff are empowered to be the guardians of information.
The objective must be to identify the challenges that organisations face and implement all possible solutions to mitigate the risk that the human factor poses in an organisation`s information security strategy.
"Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically," he concludes.
For more information, contact J2 Software on 0861 00 J TWO (5896) or e-mail john@jtwo.co.za.
Share