Today’s end-users want everything at their fingertips, from email to apps to company data. At the same time, they don’t want to leak company data, nor do they want to be made to feel like security threats just because they want to access data. Strong information security can be a competitive advantage, but getting security right can be a real challenge.
If you’re too lax with data protection, valuable data could be lost, and the organization could suffer severely (even fatally).
If you’re too tight with security, making end-users jump through endless hoops to access the data they need to get their work done, productivity can nosedive. Striking a balance can be difficult. Here are ways to approach security to balance protection with ease of use.
Be Ready to Argue the Business Value of Security
IT needs to be able to make the case that security is directly connected with core business functions and business goals. This involves weighing risks and their potential importance to the business. It also involves careful evaluation of the probability of risks, and the costs should the worst happen. For example, if someone were to blow up your data center, the damage could be incalculable, but the chances of that happening are probably low enough that you can focus your efforts on less catastrophic risks that are more likely to actually occur.
Identify Threats and Prepare
A major cause of data loss is simple human error, such as someone overwriting a file. Furthermore, many small and medium businesses rely on hard drives for data storage, and hard drives have a way of eventually failing. Most small and medium businesses are better off focusing their security efforts on problems like human error and hardware failure than on scenarios that are highly unlikely, even if they would result in catastrophe.
Don’t forget to identify threats from Mother Nature. Hurricane Sandy in 2012 showed that you don’t have to be in Florida to need a weather-related disaster preparedness plan. Protecting data from fire, flood, and non-manmade disasters is important to most businesses. If your organization’s data is subject to security and privacy regulations (like HIPAA), you have to regularly ensure your data protection practices meet regulations, and you should perform internal audits and drills to be certain you know what to do should a security breach occur.
Align Employee Policies with Security Needs
Policies won’t mean much if end-users aren’t educated about them.
End-users need to be educated about their responsibilities for ensuring data integrity and security. They also need to know the consequences should their carelessness or deliberate action cause a security problem. Basic security measures such as locking up sensitive paper documents, remotely wiping lost mobile devices, or confiscating access cards or keys of those who deliberately put data at risk should be written into policies and communicated to all end-users.
Your password policies should also balance realism with security. Strong password policies coupled with technologies like single sign-on help end-users maintain less penetrable passwords without making them complex enough that end-users will be tempted to write them down. Rules for changing passwords should be enforced consistently.
Nuts and Bolts: Software Security
Patch management is important because new vulnerabilities in applications and operating systems are found regularly. Having a robust patch management system is critical, as is a consistent update policy for software. Firewall and anti-virus measures have to be kept up to date as well, and end-users need to be educated on best practices when using the web, such as avoiding clicking on unexpected attachments in emails.
If you work in a BYOD organization, your BYOD policy should be revisited at least twice a year, and preferably quarterly. Some organizations institute their own enterprise app store (EAS) and require employees to use apps that have prior approval for work use. When employees leave the organization, your BYOD policies and general out-processing procedures should ensure they don’t take any data with them and that their access to the network ends when they leave.
Avoid Overkill By Mapping Security Measures to Real Risks
The best way to avoid needlessly strict security measures that hamper productivity is to define what your organization’s most likely risks are and focus mostly on those. While you have to plan for the unexpected (like a rogue employee or natural disaster), focusing on the most probable risks lets you do the most with your security resources and is less likely to affect end-user productivity.