SPRING SPRING12 12
INTERVIEW AS I SEE IT
Increasing use of new services like cloud computing makes cyber crime even more of an issue you have to face, says Alastair Broom Regardless of size, no organisation is immune to cyber crime, data loss or fraud. As high profile incidents featured across the media have highlighted, the affect on reputations, brands and the expense of fines from regulators can be significant. No organisation is immune and it is also impossible to be 100 per cent secure, as much as we strive to be. Over the past year, we have seen a number of public sector firms fined by the Information Commissioner's Office (ICO) for data losses, and while the fines create enough bad press, the mud sticks and those firms are now facing life as a bad statistic. There could be more of a burden to bear in the future too. Recent changes proposed by the European Commission to its Data Protection Directive mean that victims of data breaches would have to be informed within 24 hours, although it is not yet clear what would constitute a breach and whether the scale of the data leak or the nature of the information compromised determines its importance. Under the proposed changes, authorities would have powers to fine organisations up to £1m for failure to comply with the legislation. Although small to medium enterprises will be exempt from employing an internal data protection officer, SMEs should still consider appointing a suitably skilled person to take on this role. Having a specific person to manage data protection is basic good practice and will help ready the company for any tightening up of legislation. The Government claimed that cyber crime was costing the UK economy an estimated £27bn annually, and one of the main reasons for that is how easy it is. Online attacks are very different from those in the physical world where the attacker needs to be where you are, needs to penetrate your locked doors and burglar alarm and know where to look. With cyber crime, your attacker can hit you from anywhere in the world. The risk versus reward ratio is so much more attractive for the criminal.
Security these days is mostly about people: they are your weakest link and most likely to cause damage via an avoidable mistake. There are some basic steps you can take to ensure that your employees value the company’s security and play a role in ensuring it is protected. These include making sure that: • Employees do not visit suspicious or inappropriate websites or open any suspicious emails • Employees understand their obligations around data protection; and • There are policies in place for mobile working and that these are supported by the appropriate technology solutions. At a time when cyber crime seems to be escalating and becoming more organised, our data is becoming more mobile through the
Keeping secure Here are some ways to ensure you are better protected: Review and tune your IT policy so that it is current and staff understand their responsibilities. Never compromise security as you look to work more using mobile and cloud computing. Where you don’t have the requisite skills, ensure you partner with a security provider who does. Ensure your IT infrastructure is fully secure with patches and security updates installed. Also, make sure your existing security policies map into your cloud and mobile environments. Consider investing in a technology that controls social networking rather than blocking it. Restrictive policies will lead to frustrated staff and frustrated staff will always find a way to circumvent the barriers preventing them from working in a way that suits them.
19
consumerisation of IT and cloud initiatives. As tablet and smartphone devices have become more popular in our homes, they have begun to enter the work place too. This is proving to be a real challenge for IT departments as the network is accessed from unknown, potentially vulnerable devices which may be downloading sensitive corporate data. While many chief executives may see mobile working as positive, if it creates an increased risk of data loss it will need a robust security policy underpinning it. Banning consumer devices and social networks from the workplace would simply create a frustrated workforce who could, in any case, circumvent security policy, perpetuating the problem. Businesses need to design and implement their own individual strategy for mobile device use that works for them and their employees. Creating clear policies and processes will make for happy, productive staff while minimising the security risks. An organisation is most effective when it deploys a robust strategy and uses process and technology to enforce the strategy. Worries about security, however, shouldn’t put you off using cloud or third party network services, as long as you have a robust system in place. Many SMEs are discovering the potential of the cloud as a means to reduce infrastructure costs and improve business agility. This may appear to increase risk further, but a properly managed cloud provider’s data centre is arguably more secure than what you could offer. In short, you need to make sure you thoroughly review your security policies and ensure that you have made a risk assessment of your infrastructure and data assets. Ensure your policies are supported by robust processes and people who are appropriately skilled and motivated. Use technology where appropriate to enforce policy, but the goal should be to make security seamless for the end user. n Alastair Broom is solutions director for IT security company Integralis
BUSINESS QUARTER |SPRING 12