Josie Sephton, originally published on CIO Online
Data protection is an essential area for businesses, and an increasingly critical one to deal with, as volumes and complexity of data grow, along with the volume and complexity of interactions both within the business and with the outside world.
Complex it may be, but it is one that businesses can ill afford to bypass, as without it, they are vulnerable to both pre-meditated and opportunistic attacks, as well as exposures through negligence or even failure of systems. Companies are also exposed to threats from different sources both from within and outside of the business. Internal attacks are typically driven by company staff, be they more general end users, senior management or IT/admin staff, while external attacks might be as a result of someone hacking into the company system or users accessing compromised web sites and infecting their machines. Additionally, partners that have a business relationship with the company may also be a potential vulnerability unless well managed.
While it is very difficult to completely eliminate all security exposures that arise, be they external or internal, businesses need to ensure that all bases are covered, and that IT processes are closely linked to business ones. For example, a common vulnerability to which companies are often exposed relates to insufficient measures being in place dealing with visibility and accountability around systems that relate to partners. Companies must ensure that they continually monitor interactions with partners, and that any access by partners to internal systems is tightly controlled. Additionally, they should take steps to verify that the security practices of partners are adequate, and should revisit this on a regular basis.
A business may believe it is sufficiently protected because it has a set of security policies and procedures in place however this is not always sufficient. If these are not linked to specific people or groups, with accountability attached, then a company risks leaving itself exposed. Such policies and procedures need to address all essential areas, both inward and outward facing – rather than trying to focus on best-in-class for specific areas. Importantly, all policies need to be followed by staff, and must be executed in a timely manner.
More significantly, all users need to be properly educated with regards to the importance of protecting company data and, crucially, to the part they play in this. A key element of data protection – inextricably linked to end users – are access and identity management processes. These deal with the identification of users in a system and controlling their access to resources by linking identity to a set of rights and restrictions.
As companies often have a variety of systems that are not necessarily fully integrated, the issue of identity management can quickly escalate, with users having multiple points of entry across the various systems. Managing multiple identities is a challenge to system administrators and to users alike. If there are too many identities and passwords to be managed, users may seek to use a common password across multiple systems thereby exposing the most valuable systems to the level of security of the weakest. This is also likely to be a major procedural challenge when a user leaves a company, possibly leaving some accounts operational rather than being closed down promptly.
Companies may often consider that their approach to data security and identity management is sufficient. While it may be true for certain processes or systems, it is not an area that should be glossed over. Businesses are continually changing, internally, and in the way they link to the outside world. Sensible companies are well advised to ensure that security policies and procedures adapt accordingly and well polished and understood identity management policies, effectively implemented, hold the potential to help reduce both business risk and operational costs.