Business managers: 5 ways to improve your data security
By Rich Freeman
Many business managers think of security as an issue for the IT department, forgetting that the "I" in IT stands for "information." From balance sheets to sales figures to product designs, information is the lifeblood of your business. If unauthorized persons gain access to it, it is not the IT department alone that suffers the consequences. Below are five steps that executives in finance, sales, marketing, and operations roles can take to reduce their vulnerability to serious risks.
In Summary:
| • | To promote regulatory compliance, invest in employee security training and automated data protection tools. |
| • | Use encryption and network access control technologies to prevent mobile workers from compromising sensitive data and business applications. |
| • | Ensure that older finance and operations applications conform to your company's security standards. |
 | Risk management is an ongoing process. It is not something you can solve by buying a package and saying you are good for another five years. |  | | Mounil Patel
Director for information security and services,
Aberdeen Group | |
|
Yes, some business managers do recognize the importance of security. But they pin their hopes on a single system or policy as the answer to all their needs."Unfortunately there is no magic bullet," says Mounil Patel, research director for information security and services at Boston-based analyst firm Aberdeen Group Inc. "You really need to take a layered and strategic approach to [security] on an ongoing basis."
Following that advice need not be overwhelming, however. The following five tips from security experts can help finance, sales, marketing, and operations managers integrate information security needs into their daily roles:
1. Forge a partnership with your security experts
Business leaders and the IT staffers who enforce security have different and often conflicting priorities. Operations executives, for example, seek to make processes faster and more efficient. Security, however, is about making processes safer, which can slow them down. As a result, operations managers sometimes treat IT staff as adversaries instead of partners when it comes to security. The same is true of marketing executives, 56 percent of whom say they have never consulted with their company’s internal data privacy team, according to a September 2006 study of U.S. businesses from The Ponemon Institute LLC, an information management research organization based in Elk Rapids, Mich.
Allowing such tensions to linger is dangerous. To help your company strike the right balance between efficiency and safety, encourage business executives to assign IT professionals advisory roles in department meetings and planning discussions. These IT security advisers can then highlight potential risks and propose solutions before problems occur.
2. Set strong data protection policies and provide employee training
Laws such as the U.S. Electronic Communications Privacy Act and the European Union Data Protection Directive require organizations to protect confidential employee and customer information. Companies that fail to comply face stiff penalties and reduced stock values (not to mention, public embarrassment). Final responsibility for enforcing such data protection mandates lies with the chief financial officer at most organizations, but any senior manager whose staff stores legally-protected data (such as HR and sales executives, for example) has a part to play in regulatory compliance as well.
Employees are ultimately responsible for 50 percent to 70 percent of a typical organization's data leaks, says Khalid Kark, a senior analyst at Forrester Research Inc., of Cambridge, Mass. The best way to reduce that figure at your company, Kark advises, is to take the following steps:
| • | Draft comprehensive security and privacy policies, which should cover appropriate and inappropriate uses of sensitive information and safe practices for handling private data, among other topics. |
| • | Train employees in both policies and secure computing practices. Only 36 percent of companies worldwide provide security awareness education to their employees, according to a 2006 information security study by CIO and PricewaterhouseCoopers LLC. |
| • | Actively enforce policies. Employees need visible proof that management takes security seriously and will punish people who break the rules: penalties for major breaches could even include termination. |
Salespeople, in particular, should receive detailed training in your company's data protection practices, as they are likely to get questions on that topic from anxious customers. Your sales professionals should be comfortable responding to basic privacy-related questions, says Richard Feingold, a senior security consultant at management and technology consulting firm SiloSmashers Inc. of Fairfax, Va. As well, they should know whom in your IT organization to contact with more complex queries about your company's security technologies or policies.
3. Deploy automated data protection tools
Even trained and well-intentioned employees make mistakes, so be sure to supplement education with automated technologies which protect privacy and security. Companies that use data protection systems are experiencing 13 percent fewer security events and vulnerabilities, and an associated 17.5 percent drop in IT labor costs, according to a global 2006 Aberdeen Group study.
Start with the basics. Firewall products (such as Microsoft Internet Security and Acceleration Server) keep intruders away from databases containing confidential data, and can bar people from viewing or saving private information in attachments when using public computers. E-mail security products (such as Forefront Security for Exchange) help block outbound messages containing confidential text or files while also protecting against harmful viruses and other attacks.
Next, consider deploying more specialized technologies. For example, information leak prevention tools (also known as data loss prevention tools) monitor messages and files moving across your network and stop employees from distributing confidential information inappropriately. Rights management technologies (such as Windows Rights Management Services for Windows Server 2003) bar employees from copying or printing sensitive files.
4. Guard against mobile security threats
Mobile workers, such as salespeople, are vulnerable to a variety of security risks. For example, in the last year, 81 percent of organizations have lost at least one laptop containing sensitive information, according to an August 2006 Ponemon Institute study. To keep confidential data from falling into the wrong hands, require salespeople to equip their mobile devices with encryption tools, such as the BitLocker technology in Windows Vista.
In addition, use network access control (NAC) systems to keep cyber-criminals from connecting with your company's business applications using stolen laptops. NAC technologies (such as the Network Access Protection platform that Microsoft is building into Windows Vista and Windows Server "Longhorn") allow you to deny access to targeted groups of employees under specific, unsafe conditions. For example, you might choose to lock salespeople out of your accounting system whenever they are out of the office. Similarly, if your company does not have an office in Asia, you might wish to bar all remote connections originating from Asian locations.
5. Assess your legacy applications
Mounting concern over theft, hackers, and data loss has resulted in a new generation of more secure business applications. Many finance and operations executives, however, still depend on older legacy systems that sometimes lack strong protection against unauthorized viewing, editing, and distribution of confidential data. "It is a good idea to review the security controls for those systems and make sure they are compliant with your internal policies," Kark observes. If any systems fail that test, ask your IT department to update them with custom code, or use third-party security products to bolster their defenses.
Above all, make sure not to treat security as an issue you address once and then ignore. "That is where people get into trouble," Patel notes. "Risk management is an ongoing process. It is not something you can solve by buying a package and saying you are good for another five years."
Rich Freeman is a Seattle-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry.
