The networking environment has changed radically in recent times. In todays world of increasing wireless use, widespread BYOD, more home working, more remote access, more consumer devices and the huge popularity of social media, the network is becoming ever more distributed.
In this situation, security breaches are inevitable, as is evidenced by the regular reporting of breaches at major organisations.
These breaches are of course only the tip of a large cyber-insecurity iceberg. As we have seen from post-mortems, and senior level sackings, many of the problems relate to poor management and the oversight of relatively junior individuals, rather than a fundamental failure of business security across the organisation.
Security has often been seen as a business disabler, rather than enabler. It is sometimes seen as a costly nuisance, to be avoided if it impacts projects delivery or performance. The responsibility for all security is often left to the security team. This attitude is now sharply changing in many organisations, with a root and branch review of security taking place at many of them.
Were all (or should be) aware that security is the responsibility of everyone in the organisation, but sometimes, in the heat of trying to achieve tactical business objectives, that responsibility gets overlooked.
Although, it is now not possible to guarantee defence against data breach, it is still possible to defend critical data against breach, if that data is identified and defended.
1) Define goals
The first place to look is at what is actually important. Everything is the wrong answer. Priority one is what is business critical or business threatening. Then decide what risk profile, and associated costs, you are prepared to accept in order to defend key data.
2) Protect the key data
Decide how to protect key data, rather than just defending all assets and all of the perimeter. Breach defences need to be in place, alongside consolidation and regular reporting, as breaches are now taking longer and longer to detect.
It may also move some defences and focus from broadline perimeter defence to specific areas. All key relevant stakeholders should be aware of the risk analysis and risk acceptance involved. This not only gets buy-in and increased security awareness, it also creates recognition that just having a defence doesnt guarantee security.
3) Risk analysis and risk acceptance
Before any mobile device, access, application, new technology or service is added to the company network, it should be signed off as accepted by the Board, and the proposing department or users, with a risk analysis as part of the sign-off. Interestingly, building-in security, as part of deployment rather than post-event, often provides better security at a lower overall cost.
4) Planning and deployment
Planning for deployment should include security implementation and acceptance of the risk. Security needs to be deployed with the solution, not post event.
Deployment of security for mobile devices and remote access is a key element in protecting networks today. Web applications (and indeed the cloud) present some specific risk points. Understanding and securing data in these areas needs particular focus, based on the risk and consequences of failure.
Read more top security tips on page two…