Attend the likes of InfoSec to ensure you are up to date with the latest products and then seek the advice of an expert consultant to help in cutting through the snake oil and implementing a solution that is both fit for purpose and addresses end-user issues without encouraging circumventory behaviour, writes Andrea Simmons is a consultant forum manager for BCS Security Forum.
There are all sorts of tools available:
- laptop locks
- hard-disc encryption
- USB encryptors
- privacy screens
- anti-spyware, and so on
At the Lion's Den session at InfoSec, technology suppliers insisted that their systems should be deployed on the basis of distribution of agents across the network. In spite of concerns about increasing the number of agents that require management from an operational point of view, some suppliers believed their own marketing speak that their product would be able to address all "unknown risks" that might confront an organisation. Such misjudged boasts do little for understanding risk management or operational management pressures and the need to ensure that the end-user is as aware as possible about externalities and the likelihood of malicious code attacks.
A natural sequence of actions can help achieve the protection required:
Undertake an information audit that identifies all the information assets: hardware, software, electronic information and manual records (the latter two particularly need to address both remote end-users and customers, identifying both personal data and sensitive corporate data).
Apply the appropriate product that reduces the risk to the pre-identified corporately accepted level (there is no such thing as 100% protection in the online, all-connected world).
Provide a programme of information security awareness that addresses concerns end-users may have about managing the data on their laptops and USBs (by way of encryption, passwords, privacy screens, and so on) as well as the simplest of instructions to not leave such items in taxis, on back seats of cars, under tables in Starbucks, and so on.
Undertake an audit programme to review the elements identified in step 1 to ensure these are as expected, and controlled in a way that is compliant with organisational policies and procedures.
Andrea Simmons is a consultant forum manager for BCS Security Forum