Companies spend a significant amount of their IT budget on security systems, from firewalls to data loss prevention (DLP). None of these will be successful unless people adhere to them, yet a survey found that almost a quarter of employees believe data security is not their responsibility. Many behave in ways that heighten the risk of data loss, whether knowingly or accidentally, innocently or maliciously.
To ensure corporate security is maintained, organizations need to develop a security-conscious culture in which employees adhere to policies and procedures. The list of considerations will differ for each organization. For some, the risk is primarily the loss of sensitive corporate data, whereas for those developing innovative new products commercial espionage is a concern. There are also ever-stricter statutory compliance and governance obligations, such as the Sarbanes-Oxley Act and the Payment Services Directive.
It is essential to define security policy and obtain employee buy-in and commitment before looking for technical solutions. Users need to understand why security is important and the consequences of getting it wrong. They are much more likely to comply if they understand the risks rather than simply seeing security as a set of annoying rules which prevent them working as they wish.
Security policy should be enforceable, realistic, acceptable to users and not violate personal privacy laws. There should be no ambiguity and everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
Being realistic means understanding and taking account of employee behaviour. In many instances an increasingly technically aware user population is simply configuring its own remote and email access outside corporate IT security guidelines, or bringing personal devices into the office, connecting them to the corporate network. These devices can then potentially be used to store sensitive corporate information. IT teams need to acknowledge this and define their policy to handle this situation. They should also encourage users to come to them for advice on using personal devices. A combination of stick and carrot is the most effective solution.
User education is essential. For example, a key control that may be used to protect data is disabling the use of USBs or other mobile storage devices. This usually proves to be an unpopular decision and so user education and awareness training must be an important part of implementing this control.
"Implementing security policy also means obtaining commitment from various data owners"
It is also vital to obtain board level commitment. Too often we see that the implementation and management of information security is left to the IT department. Security policy needs board level commitment before implementation, executive sponsorship during implementation and user education at all levels to ensure everyone understands what they need to do and the penalties for policy violations. These penalties should be equally applicable at all levels of the organization. If the MD wants to connect a new tablet to the corporate network, this must be done in accordance with corporate security policy, and be subject to the appropriate penalties for any non-compliance.
Implementing security policy also means obtaining commitment from the various data owners within the organization, who should be responsible for managing and keeping their data safe once the security solutions been implemented. They can use DLP tools, for example, to define granular and specific policy and reporting requirements appropriate to their needs. Typically the security problems we see occur where users are allowed to store data on their own machines. Data owners should also be given responsibility for ensuring that data is consolidated in a central network location, as DLP works best when data is organized and structured.
Another area where employees can threaten corporate security is their use of passwords. Today we need to access an increasing number of systems, many of which are no longer hosted internally, with more authentication requirements and multiple and more complex passwords. The result can be passwords on post-it notes, users reusing the same passwords, or avoiding logging out. Most organizations have implemented policies to try to eliminate this type of behaviour, but it still persists, leading to increased security and compliance risks.
One solution is single sign-on, which can be provided through the cloud and used to authenticate against almost all IT services available today. It provides a central account or identity and provisions this into target systems, such as Active Directory and SAP. This manages user authentication and entitlement (depending on their role), compliance and provides user self-service. Adding the cloud enables single sign-on to web services and access to on-premise applications from any location, and enables the system to act as an IDP for cloud/extranet services and SAML. The result is enhanced application security and improved compliance, as well as reducing the number of service desk calls for lost passwords.
About the Author
Richard Blanford founded Fordway in 1991 and has built it into one of the UK’s leading IT infrastructure change providers. He then took the decision to develop managed cloud services, which Fordway now provides to a range of public and private sector organizations. An ex-technician, Richard’s 20-plus years of experience enable him to prioritize business-critical problems and offer constructive, vendor independent advice