Information is an asset for all organizations, large or small. Whether it’s a legal document, design for a new product, bid for a contract or personnel review, revealing these and other types of information to the outside world can cause the organization irrevocable damage.
Yet, with the proliferation of mobile devices and the likelihood of critical data travelling from place to place, data is more exposed to theft, loss, and snooping than ever before. Today’s savvy technology users have remote access via broadband, and wireless connectivity, and with systems routinely shared by contractors, vendors and customers and employees, data security takes on ever-greater importance.
The technological advances of the past few decades have brought with them a complex set of security challenges. Rather than focusing on an outside perimeter defense (i.e. firewall, virus protection), experts say the emphasis today needs to be placed on maintaining the access to and protection of the data itself.
A decade ago, you could walk out of your employer’s place of business with a hard drive or a tape containing a significant amount of data. There was no way to monitor or control what you did, but you had only limited ability to access or manipulate the data because of the expensive proprietary systems required to read the data—outside the reach of most consumers. At that time, the information was protected in a de facto manner.
With the advent of laptop and mobile computing devices, virtual private networks (VPNs) were made SSL compliant, allowing the user to log into the system. This evolution has resulted in the need for both the development and deployment of identity and access management control, which allows organizations to take a more detailed look at the identity of the user before providing access.
Organizations now know who you are when you log into their systems. But nothing can stop today’s knowledge workers from taking data home and making a copy on their spouse’s computer or on a USB memory device. You can walk out of your employer’s front door with a massive amount of data in your pocket.
While virtually all precautions have been taken to protect enterprise data, both in transit and on the network, little has been done to inherently protect the data itself. Ultimately, we have done a good job in preventing external attacks, but we have left ourselves vulnerable to the worst kind of attack—attack from the inside. This doesn’t need to be premeditated. It can be accidental.
Organizations today must create sets of rules regarding content, allowable actions, and consequences for breaching established protocols. Systems managers need to be able to monitor user workflow. Using off-the-shelf tools and by monitoring data access behaviors, companies should be able to proactively predict events as to make the appropriate provisions ahead of time.
Organizations should ensure their data security policies and procedures address the following key elements:
- Establishing detailed policies for data security—This entails making decisions about who will have access to systems, networks and content, and under what circumstances.
- Assessing the value of the asset being protected—Any security investment must be predicated on the value of the asset at risk.
- Incorporating transparent security solutions—While you don’t want to stand in the way of an employee who is taking a memory stick home to finish a document, you do want to form obstacles to deter inappropriate or unauthorized individuals.
- Viewing security as a process, rather than a product. Simply purchasing software solutions is not enough to protect your organization. The emphasis should be on planning, keeping in mind the needs and practices of the organization.
- Realizing that security is an ongoing process. Organizations must continue to embrace the mindset that security vulnerabilities and attacks will evolve over time and as such, so will security policies.