Home » Technology » Security » Why Employee Commitment is Key to Effective Security
IT security is a key issue for most organisations, and accounts for a significant amount of their IT budget. However, even the best systems will not work unless people follow the correct processes, and a survey found that almost a quarter believe data security is not their responsibility. Many behave in ways that heighten the risk of data loss, whether knowingly or accidentally.
To address this, organisations need to define security policy and obtain employee buy-in and commitment before looking for technical solutions. Users need to understand why security is important and the consequences of getting it wrong. They are much more likely to comply if they understand the risks rather than seeing security as a set of annoying rules which prevent them working as they wish.
The risks of a security breach will differ for each organisation. For some, it is primarily loss of sensitive corporate data, whereas for those developing innovative new products commercial espionage is a concern. There are also ever-stricter statutory compliance and governance obligations, such as the Sarbanes-Oxley Act and the Payment Card Industry directive.
Security policy should be enforceable, realistic, acceptable to users and should not violate personal privacy laws. There should be no ambiguity and everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
Being realistic means understanding and taking account of employee behaviour. In many instances an increasingly technically aware user population are configuring their own remote and email access outside corporate IT security guidelines, or bringing their own device into the office, connecting to the corporate network and potentially storing sensitive corporate information on the device. IT teams need to define their policy to handle this situation, and should encourage users to come to them for advice on using personal devices.
User education is essential. For example, a key control that may be used to protect data is to disable the use of USBs or other mobile storage devices. This usually proves to be an unpopular decision and so user education and awareness training must be an important part of implementing this control.
It is also vital to obtain board level commitment. Too often the implementation and management of information security is left to the IT department. Security policy needs board level commitment before implementation, executive sponsorship during implementation and user education at all levels to ensure everyone understand what they need to do and the penalties for policy violations. These penalties should be equally applicable at all levels of the organisation.
Implementing security policy also means obtaining commitment from the various data owners within the organisation, who should be responsible for managing and keeping their data safe once the security solutions have been implemented. They can use DLP tools, for example, to define policy and reporting requirements appropriate to their needs. Typically the security problems we see occur where users are allowed to store data on their own machines. Data owners should also be given responsibility for ensuring that data is consolidated in a central network location, as DLP works best when data is organised and structured.
Another risk area is use of passwords. Today people need to access an increasing number of systems, many of which are no longer hosted internally, with more authentication requirements and multiple, complex passwords. The result can be passwords on Post-Its, reusing the same passwords, or avoiding logging out. Most organisations have implemented policies to try and eliminate this type of behaviour, but it persists, leading to increased security and compliance risks.
One solution is single sign-on, which can be provided through the cloud and used to authenticate against almost all IT services available today. It provides a central account or identity and provisions this into target systems e.g. Active Directory, SAP etc. This manages user authentication and entitlement, compliance, and provides user self-service. Adding the cloud enables single sign-on to web services and access to on-premise applications from any location, and enables the system to act as an IDP for cloud/extranet services and SAML. The result is enhanced application security and improved compliance, as well as reducing the number of Service Desk calls for lost passwords.