 |
 |
 |
The paperless office may not yet have been achieved, but there is no doubt that the bulk of most organisations' data is stored in electronic format, be it in customer databases, email archives or confidential human resources files. Combine that with the proliferation of mobile devices such as laptops, PDAs, external hard drives and USB sticks and a desire and/or need to work away from the office, and a serious security threat materialises. But with over 50% of employees currently finding security policies so restrictive that they are actually working around them in order to get their jobs done, security policies have to very carefully drafted and balanced, argues David Kelleher, Communications and Research Analyst at GFI Software. Unless data within an organisation is tracked, secured and handled by authorised and policy-educated people, precious and critical data may be lost, sold to third parties or used in a fraudulent manner. Data and storage security can be 'compromised' in three principal ways: First, the availability and capacity of network-attached storage is on the increase. This also means that the number of people accessing this data is also growing, which subsequently increases the risk that confidential data can be accessed by unauthorised people. Second, the use of uncontrolled portable storage devices, such as flash drives, puts considerable volumes of data at risk. These devices are lost or stolen easily, often with minimal if any encryption or access control. Third, the risk of data leakage increases as more employees opt to use laptops because it gives them freedom to work away from the office. A common security risk: people Whichever way one looks at storage security, there is a common element throughout - people, who bring with them the element of human error. And combating the user's natural fallibility with technology alone will not protect a company's data. Instead, strong and enforceable security policies as well as employee and management awareness of security issues will go a long way towards improving the level of storage security in the organisation. Storage security is more than protecting the data using technology or placing it under lock and key; it is also an exercise in people management - because it is the user who is the great threat and weakest security link. Individuals who have access to sensitive data - which is far more people than many employers realise - are often targets of security attacks, often through personalised malware or spam such as prompts to download "essential" software. Perhaps more galling, many employees assume that the IT measures in place are all that is required and so company policies are redundant. However, administrators cannot look at drafting and enforcing policies as a time-consuming burden. They must instead realise that by helping management to understand the importance of the policies, they will in fact find it easier to obtain funding to implement changes or bring in new security systems to protect the company's data. It's good to talk But strong and carefully drafted policies are all for nothing if they are not communicated to the entire staff-base. Organisations must, therefore, ensure that they take adequate steps to clearly and effectively communicate to staff the sufficient information required to achieve adequate risk management and their role in it. Education is key. Internal communication is vitally important and often overlooked. Administrators need to explain in clear and simple language what each policy means and how and why each one is implemented throughout the organisation. If security policies cover the use of portable devices - and they surely should - administrators need to educate and explain why certain devices are banned or only to be acquired through or with the consent of the IT department. Any contrary approach is hugely counterproductive. Employees are not as tech savvy as the administrator is. Instead of having the attitude of "What else can I do to prevent a security breach" as the IT department does, employees think, "It will never happen to me!" They need to be educated on even the obvious security risks, such as leaving their passwords written on a sticky note on their monitor and understanding that sharing passwords is equivalent to sharing the key to their home. And they need to understand that their actions are being monitored and that they are accountable to the company. Practically speaking... Business practices change as do processes and data storage requirements and IT is there as an adaptable function to enable business to maximise on its own investments. Simultaneously, security policies also need to be updated regularly to take into account new threats. Such a typically flexible working environment means that security policies have to be equally adaptable, else run the risk of being unworkable. An effective storage security policy should be a dynamic document - revisited regularly and updated. If not, security policies are often seen to be too difficult to enforce in practice, or as a barrier to the fastest way of working. Indeed, a new study from EMC's RSA security division revealed that over 50% employees are actually working around IT security policies in order to get their jobs done. And so effective security becomes a two way street - educating staff shows how they can so often be at risk of jeopardising security policies and what the consequences can be, especially in situations where their role requires remote access and mobility. However in return, companies must adapt their security measures so that, while they remain information-centric risk aversion policies, they also acknowledge and align with the needs and realities of the business. All told, every employee in every department has some level of responsibility for IT security and none can realistically render it to be someone else's problem. GFI Software is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th=30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk |
