Security should be a board-level concern. The volume, complexity and sophistication of attacks is rising rapidly, and massive breaches affecting household names are everyday news. Elevating security to a board-level concern is vital for business survivability.
IBM has recently released a report that provides chief executive officers (CEOs) and their C-level counterparts with five security principles that should be given the highest priority. These principles can be boiled down into the following three key areas:
- Focusing on employees;
- Putting controls around critical assets;
- Having processes and technologies in place for responding better and faster.
This article looks to explore the first area, which is made up of two guiding principles.
Increase the Security IQ of Every Employee
According to the Ponemon Institute’s 2014 Cost of Data Breach Study, 60 percent of security incidents are caused by employee errors and internal system glitches. Internal threats can be particularly pernicious since employees often have access to the most sensitive information produced by an organization. Sending data to an unauthorized person — even mistakenly — or introducing errors that can lead to diminished data integrity being can have serious consequences. To reduce the risk of employee error, CEOs should ensure they encourage a culture of security throughout the organization.
A top security priority is to train employees right when they join the organization. However, this is not a one-off exercise. Official training should be conducted at least annually, along with constant reminders, preferably done in a way that is fun and engaging for employees. They need to be aware of the threats facing their organizations, including emerging threats, and the sort of behavior that is expected of them to reduce their role in spreading these threats. They should be thoroughly trained on the security policies that have been set and told why they are needed.
To ensure the message is getting through, employees throughout the organization should be tested to make sure the knowledge imparted through training and awareness sessions has sunk in and that they really do understand the messages. Consequences for noncompliance with security policies, including possible sanctions, should be clearly spelled out.
But even that might not be enough. Some people perform well in structured tests, while others do not. As an extra precaution, organizations should look to catch their employees off guard, using phishing exploits to gauge their response to realistic scenarios. This will help the organization ascertain where the gaps in understanding are so it can take steps to remedy them.
Security Principles: Safeguard BYOD
At one time, organizations’ networks had clear boundaries, guarded by technologies such as firewalls. Today, those boundaries have all but disappeared. Mobile devices have become the device of choice for many employees and are constantly punching holes in traditional defenses. With mobile technologies quickly evolving and incorporating the latest and greatest features, many employees feel that their own devices are superior to those offered by their organizations. This has given rise to the bring-your-own-device (BYOD) phenomenon, with employees demanding to use the device of their choice for work purposes, especially since this removes the need to carry multiple devices for work and leisure purposes. Employees are the new perimeter.
Again, employee education is paramount for encouraging the safe use of personally owned devices, as well as security policies that spell out what is and what is not permissible. However, that alone is insufficient. Organizations must safeguard themselves by using technology to manage those devices and protect the data they contain, the transactions that are made with them and the applications that are permitted to contain corporate data.
Containerization is a strategy that has a central place in any enterprise mobility program. It provides a way to isolate corporate data on personal devices by enabling corporate and personal data to be placed in separate containers on the device. This allows different levels of security to be applied to different containers, ensuring the organization can safeguard its critical information while providing employees with the assurance that their personal data is safe from prying eyes. It also lets organizations retain the flexibility associated with the BYOD era, allowing for the safe use of any device rather than blocking network access until a particular device has been examined and certified.
Employees as the Front Line
The Cost of Data Breach Study estimates that the cost of dealing with a data breach increased by 15 percent in 2014 and will continue to rise. Employees and their devices are the front line of any organization, its human face to the world. To safeguard the organization from internal threats and external factors specifically targeting individual employees, it makes great sense to focus on employees themselves to lessen the chance that they inadvertently cause harm.
This is why security awareness and securing BYOD should be two of the main security principles espoused by boards of organizations. The next two articles in this series will focus on the other key security principles, examining how to best protect an organization’s crown jewels — its assets — and how to best prepare for and respond to security incidents.