In today's global environment, the increasing
technologising of business has allowed companies to reach a wider
audience. This has brought benefits, such as increased customer
base, global suppliers, economies of scale, however it has also
brought significant risk, not least to the security of information,
writes Robert O'Brien, chief executive atBaronscourt.
Many organisations have invested in technology to protect the
perimeter, however, as recent headlines have shown, they have
overlooked the single biggest threat to the security of
information: people. The majority of major data breaches that have
occurred over the past 18 months can be directly attributed to
employee behaviour, an inability to follow policies and procedures
that has had catastrophic results; millions of personal records
being compromised, a plethora of government investigations, heavy
fines and sanctions, reputational damage and the media baying for
blood.
Your employees are at the root of effective information
governance, and without making them aware of their responsibilities
with regards to the guardianship of data, you are placing your
organisation at increased risk of a data breach. All major
regulatory frameworks, such as ISO 27001 and PCI DSS recognise
this, and stipulate that all users must be included in IT
compliance initiatives.
Organisations must ensure that employees read and understand
policies and procedures relating to IT security, and be able to
evidence this in order to achieve compliance. And this must be an
ongoing process. The data security threat landscape is an ever
evolving one, and frameworks, regulations and internal IT security
initiatives must change in order to reflect this and ensure
sustainable IT security and compliance.
This continual process of managing user accountability and
awareness is an impossible task without the help of automation. To
fully utilise the technology and place the onus of information
security at the foot of the employee, organisations should:
- Automate the policy creation process, allowing you to quickly
create new policies from scratch or amend existing policies to
react to changing regulations or threats - automatic versioning
control will provide an audit for all original policies sent.
- Use automatic targeting and scheduling technology, which allows
you to ensure that you target all users in the organisation - look
for products that include laptop users, PDA and mobile users,
remote/web access users and non computer users.
- Obtain a response every time a user takes action against a
policy to capture an audit trail of user response to any policy
communication. Even those staff who don't provide a positive
response can be brought up to speed as part of a remediation
project.
- Automate surveys and risk assessments to test employee
understanding and present a picture of your IT security posture at
any given time. Auditors like to see high user participation
percentages.
- Automation allows for ease of audit and reporting. Products
with sophisticated, multi-level reporting and audits will help you
identify problems and risk areas, and take immediate remedial
action.
- Automation allows you to develop the repeatable processes that
are the key to sustainable compliance and IT security.
Best practice IT security demands that users are trained and
educated on their responsibilities with regards to sensitive data,
and this simply cannot be achieved using traditional methods of
corporate communication. Automation has been proven to increase
user awarness levels by at least 30% in three months, providing a
quick win for any IT security and compliance department.
Baronscourt is exhibiting atInfosecurity Europe
2009on 28-30 April 2009 at Earls Court,
London.
Read more articles from Infosec 2009 >>