The security officer is not the enemy
All too often the IT security department is seen as a completely separate entity to the rest of the business. A battle of wills between employees wanting to do their jobs as quickly and painlessly as possible, and the security staff who hear alarm bells at the mere mention of BYOD. But the consequences of a security breach are very real, meaning finding the balance between your business and IT priorities is crucial.The recent 2013 (ISC)² Global Information Security Workforce Study reported that over 70% of c-level executives cite BYOD as their biggest security fear although, surprisingly, a majority of them have failed to implement security policies to combat this. As tablets, smartphones and web apps like Dropbox make remote working much easier, the threat to the business rises.
From competitor espionage, to viruses, and even terrorism - there is a long list of potential threats to your systems. While most breaches aren't in fact malicious, but a result of careless employee actions, if your data gets into the wrong hands, the result is the same regardless. This is why it is so important to communicate the consequence of taking seemingly insignificant shortcuts.
Something as trivial as bringing a USB drive into an office can put your business at risk of viruses and spyware being planted, or confidential data being taken off-site. The contents of lost or stolen hard-drives, even if they're password protected, would be accessible unless they were encrypted.
Hacking is becoming more sophisticated every day - but so are the preventative processes that can be put in place to beat it. So, what can you do to keep your data in safe hands?
Govern from the top
Communication is key. Policies should be implemented and enforced from the top. We commonly see departments detaching themselves from the issue of IT security but this "them and us" attitude needs to be eliminated. It's the manager's responsibility to make sure security decisions are a cross-departmental process and that their importance is embedded at every level. The security officer shouldn't be the enemy.
Find your balance
There is no hard and fast answer as to the security policies you should implement. Finding a balance that works for you is important. Do you want to ensure watertight security through stringent processes but risk a drop in staff productivity? Do you allow your staff to work on personal devices with more freedom and a less strict security policy? Or do you try and meet somewhere in the middle? This should be a collaborative decision.
Know when to outsource
Some requirements are better served by managing internally. Some requirements are easier met by outsourcing to a service provider. By working with a Cloud Service Provider (CSP) who understands the security risks to your business and has the ability to mitigate against them, you significantly lower your chances of a data loss. Service providers need to maintain high security standards to meet the needs of all of their customers. Our data centres are 30m below ground in ex-military bunkers, for example, with our servers kept in faraday cages to fight against electro-magnetic pulses and digital eavesdropping.
Look for accreditations
Accreditations are a good indicator of a reliable service provider. ISO 27001, for example, is an international information security standard that signifies an organisation undergoes regular risk assessments (at least annually), and has stringent controls and processes in place to protect the integrity of its clients' data. A benefit of working with an ISO-certificated CSP means that, generally, most of the risk is off-set to them.
The thought of a security breach is scary, but very real; we've all seen the recent high-profile data losses in the news. Communicating these risks with your staff at all levels will help to reinforce the idea that compliance processes are not there to inconvenience them, but to protect the integrity of the business.
Save