Security isn't just about technology. John Kendall, Unisys Asia Pacific director of security programs, offers some pointers on the human side of IT security solutions.
Advising clients about the security of their IT systems and data presents particular challenges for resellers because the quality of the advice you provide will only be apparent if something untoward happens.
When consulting about improving IT security always take a holistic approach. No firewall or scanning technology can, by itself, deal with the full range of risks. Of course you have to erect defences against deliberate, targeted external attacks, and opportunistic attacks from malware.
But you also have to protect against the threat from within: the risks posed by employees who deliberately misuse company data, as well as the real threat of sensitive data being exposed as the result of an accidental breach.
And the seniority of the perpetrators may surprise you: recent research suggests that executives who have access to the most valuable company information are more likely to display risky behaviours.
We live in an age of data breaches. The public has a low tolerance for them, and its patience has been sorely tested of late. The 2013 Unisys Security Index reports that the majority of Kiwis are concerned that both commercial and government organisations are vulnerable to accidental or malicious data breaches.
Public confidence in these organisations' ability to protect data has been compromised, so they need to take action to guard against any breach, whether accidental or deliberate.
While resellers will have their own preferred security technologies to recommend, don't ignore the human side of the equation. Policies and processes are equally important:
• Password protection is a basic defence
People may want to use the same passwords at work, for their personal email account and Facebook. That's not a good idea. And refresh those passwords regularly.
• Security policies are useless if no one knows about them
Recent research by Unisys on the consumerisation of IT showed that 90% of NZ organisations have security policies in place, yet 41% of NZ employees say they are unaware of them.
• Education is great for mitigating basic breaches
Employees need to not only be familiar with the policies, but also to understand the implications of not adhering to them.
• Don't make things difficult
Write security policies plainly, so even Granny can understand them. And size isn't everything: in fact briefer is better. An easily digestible two page security policy document can be comprehensive and will be more effective than a 300 page monster.
Even the broadest set of policies, succinctly expressed and supported by proper training, doesn't completely guard against human error. That risk will never go away, so rather than rely solely on controlling access to data, consider securing the data itself via encryption.
That way even if the wrong people gain access to it, they still won't be able to read it.
Edward Snowden's disclosures have heightened awareness of cybersecurity around the world and the risks of storing unencrypted data on internal networks.