Whether it is the FBI’s sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained “sensitive or classified information” or the drama of retailer TJX’s February admission another theft incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organisations.
Unfortunately, even the best security technology in the world can’t completely protect a company from the biggest vulnerability it has — its own end-users. Security researchers repeatedly label users the biggest threat to enterprise security. Unlike applications that can be patched or systems that can be hardened, users — whether through naivete, carelessness or malicious intent — continue to expose IT resources to serious security threats.
“Security is fundamentally a human issue,” says Scott Crawford, an analyst at Enterprise Management Associates. “Human nature can be totally unpredictable, so when it comes to IT, the risk posture changes every day.”
And as enterprise data becomes more portable and thus more vulnerable to an evolving list of threats, both the dangers and the costs associated with these risks continue to rise. Companies face serious economic consequences from data breaches that can damage their reputations and result in remediation expenses, fines and other costs.
A study conducted by the privacy think tank the Ponemon Institute and funded by security vendors PGP and Vontu pegs the cost of a breach at an average of US$182 (NZ$256) per lost or exposed record. And costs can rise beyond that, depending both on the business the breached company is in and how critical the records are to that organisation. For example, data aggregation vendor ChoicePoint, which delivers risk management and fraud information to clients in the insurance industry and other fields, watched its market capitalisation plummet US$720 million after news that 145,000 of its consumer accounts were compromised after a breach of its systems.
“What you want to do is create in your organisation a culture that has security in its core,” says Robert Lerner, an analyst at Heavy Reading, a market research firm.
Lerner says communicating the policies that control all points of data contact — both incoming and outgoing — is really what forms the foundation of this security-focused culture. To be effective, these policy communications need to be ongoing, rather than just a one-time monologue that takes the form of a page in the manual employees receive on their first day and never review again.
In reality, security education and continual reinforcement of policies and procedures can turn out to be the most powerful weapon businesses have to protect themselves. Lerner says organisations that institute, communicate and enforce effective security policies can not only minimise the risk of data loss or exposure but can also potentially eliminate the need for some costly security products.
“Technology isn’t going to solve everything,” Lerner says, “But that doesn’t mean you can’t supplant technology with other controls — human controls — to secure your organisation.”
Yet some businesses still balk at putting the proper focus on making IT security policies a priority. There are myriad reasons for this hesitation, including the fact that many businesses have thus far escaped major damage from a security breach.
In other cases, organisations are simply overwhelmed at the prospect of setting company-wide IT security policies to protect data that quite literally travels both within and outside the firewall. With users moving data across the enterprise network and the web, on laptops and other mobile devices, and to printers and storage devices, IT security policies have a daunting amount of ground to cover.
However, analysts say organisations don’t necessarily have to boil the ocean to conceive and execute successful security policies.
Crawford suggests that one route companies can take is to determine which information would put the business at risk if it were abused or stolen and then outline policies for safeguarding that data.
He recommends that companies create a sliding scale of security policies based on categories of information. The stringency of the data-handling policy for a particular category would depend on the sensitivity of the information in that category.
Data records that, if compromised, would have a serious impact on the company and thus should never be publicly disclosed, should be subject to very special control policies. And finally, information that should only be confined to the company should be locked down completely.
Of course, the best conceived security policies are useless if users don’t adhere to them and if the business can’t enforce them. Thus, success depends on the security organisation’s ability to educate employees, contractors and partners that have access to corporate IT resources. This should involve a combination of written and oral communications that come both directly from the security organisation and from supervisors.
Automation is another critical tool for enforcing security policies. Whether it’s something as basic as removing the manual work associated with distributing antivirus software updates to user computers or something as sophisticated as restricting what data can be printed or stored on a USB drive, Crawford says without automation, the task administering corporate security policies becomes unwieldy.
There are a number of categories of security systems that can play vital roles in policy enforcement, including established technologies such as encryption and cutting-edge options such as information structure and classification management tools that identify information records and take the appropriate actions with respect to policies to protect it.
Yet even though systems such as these can help organisations improve information security, there are many organisations that are behind the curve when it comes to setting and carrying out security policies.
“I am appalled. I don’t think things have really changed even after all the high-profile losses,” says Heavy Reading’s Lerner.
He suggests that companies that don’t enforce solid security policies are playing roulette with their most important commodity — their data — and their futures. He says companies that wouldn’t operate without a firm policy on internet use also need a set of policy definitions to guide users and administrators on how to handle corporate information.
“The cheapest thing you can do to protect your information is to hold employees accountable,” Lerner says.