Your approach to information security isn’t just about preventing data breaches. It can also help you streamline business operations, increase customer and stakeholder trust, and reallocate risk – all of which affect your organisation’s costs, growth and innovation.
Directors and shareholders in particular pay close attention to these kinds of business values. If your approach to security keeps stakeholders in mind, you will ensure your resulting security programme is connected to the business as a whole, and contributes to achieving wider goals.
Here are five steps for ensuring your security strategy keeps your business in mind:
1. Only protect what is important
Enterprises should look to implement information governance best practice in order to determine what data is critical, where high-value, high-risk data is stored and how much it is worth to the organisation. This will help you determine what information requires the highest level of protection, and will ensure you focus your attention where it is really needed.
2. Shepherd your data
Once you have identified your organisations’ critical information, your next goal is to become a “good shepherd” of that data. Reviewing your organisation’s business processes and network architecture will often highlight the fact that people store all manner of critical value data in inappropriate places such as in emails, email archives, development servers, file shares and personal computers.
If you think of your data as you would a flock of sheep, you need to know where they are, segregate them into separate fields and make sure the fences between them are secured. It is also important to regularly check in on your sheep and the state of the fences that surround their fields. This way, even if a wolf (cybercriminal) were to break in, the risk can be restricted to only the area of compromise. You can rest easy, knowing the other sheep under your care remain safe and secure.
There are a number of technologies that can alert you and your security team to potential breakdowns in your fences. In the future, these technologies will go beyond just acting as an alerting system. Ideally, the tech will become a smart system that has best practices embedded into the tool’s functionality.
3. Prioritise your efforts
All data is not created equally, so there is no point in protecting everything and anything in the same way. Is there any business value or risk in a series of internal staff emails about last month’s employee social? Maybe, but more than likely not.
Protecting customers’ private contact information, on the other hand, is crucial. By focussing your attention on protecting data that really needs security, your organisation will save time, money and effort. This will allow you to use your data more freely to produce business results, whilst ensuring your critical data is protected.
4. Implement security across your organisation
Your data security practices and policies should be integral to all your business functions and decisions – everything from your physical buildings, to what systems you use, and the training you offer to employees. You need to build an entire culture of security that understands that it is operating behind enemy lines and that attacks are a matter of “when”, not “if”.
As such, you can’t view security simply as an IT concern. Without the commitment and support of all employees, across all areas, your security programme is certain to fail.
A culture of security will embed discipline into the decision making process, allow for healthy debate about business value and benefits of proposed security-driven restrictions, and proactively identify data that is highly sensitive so you can purposefully manage it from the very start, rather than after it is at risk or lost.
5. Ensure security starts at the source
Although technology is only part of your security posture, there is an important caveat. Most endpoint security technology works at a relatively high level within the operating system on the assumption that the kernel is secure. However, the guys who write malware do not necessarily play by the rules and many of them are experts in low-level programming. That’s why you need an adaptive security technology that gives you complete visibility all the way to the source – the kernel.
Breaches are becoming a major concern for UK enterprises. Regulators are scrutinising organisation’s security practices more closely than ever. Ensuring your own organisation takes a proactive approach to security can give a much-needed advantage when you are targeted.