Targeting risks with corporate security planning
OVERVIEW As the world becomes more connected, the task of securing information extends beyond hardware, writes Barnaby Page
A hard drive goes missing, a server is hacked and the very survival of an organisation is threatened. In Skyfall, James Bond comes to the rescue, but for millions of British businesses, public sector bodies and non-profit organisations, the outcome of such security breaches is likely to be anything but glamorous, and the ending unhappy.
In a world where enterprises and individuals depend on an increasing variety of digital resources – not just the PCs, servers and networks that defined IT in the past, but notebooks, netbooks, smartphones, tablets, cloud services, social media and more – security is complex and its requirements permeate everything that an organisation does.
Work and technology are now so interwoven that it is not just hardware: business processes and employee behaviour can also make the difference between a secure organisation and a leaky one.
For example, data is no longer confined to a comparatively small number of centralised servers safe behind a firewall. High-capacity storage is now so cheap – think of the scores of gigabytes available even on an MP3 player – and so much business is transacted via internet intermediaries, such as email providers, that information has migrated away from the data centre and settled all over the digital landscape.
That makes it all the more exposed to theft or abuse, and brings significant legal risks too when organisations are responsible for protecting their clients’ and customers’ information.
Yet the vast majority of enterprises continue to engage in “old-think” and focus their energies on securing devices, rather than data. Their priority should instead be to identify which data is most sensitive – the information if lost, damaged or exposed would cause the most harm to the business – and where it lies. That will then point them towards the devices, processes and individuals that need to be considered as part of a holistic security plan.
The technology concerned will not necessarily be part of the corporate IT infrastructure. Today’s employees have digital devices in their pockets and their living rooms. It is only natural that business information will find its way on to these for convenience and it is inevitable that sometimes the information will be used naively. Who has not posted a work-related comment on a friend’s Facebook wall?
Securing such devices as hardware is all but impossible: clearly communicated policies and advice may, however, persuade staff to act as responsible guardians of the data that they hold.
And it is not only theoretical vulnerabilities that are increasing. Actual threats are growing in severity and complexity, too; as more critical data is held digitally, the more tempting a target it becomes. The arrival of cloud computing and the closer attention given by governments to regulating data privacy, add further complications.
Total security is an unattainable goal. No IT department rules absolutely. But extending the scope of information security practices and policies far beyond hardware, to encompass the behaviour of the business itself and its individual members, will provide a solid basis for addressing any specific risks that may arise in the future – and is likely to be a lot more effective than Bond-style gadgets.