Hey, Let’s Be Careful Out There!

Posted on : 10-06-2016 | By : Maria Motyka | In : Cloud, Cyber Security, Data, Innovation, IoT

Tags: , , , , ,

0

In the context of accelerated digitisation, especially the adoption of innovations in the areas of cloud computing, IoT and the growth of social networking, as well as with increased mobility of the workforce, organisational security and risk management need to be rethought.

The way we work is constantly changing; according to recent research by Gartner, within the next 1.5 – 2 years, ’25 per cent of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls’. Digital users now spend 30% of all connected time, 2 hours a day, on social media (Global Web Index) – let’s not fool ourselves, some of it (whether it’d be using the seemingly innocent Messenger app or the boring meeting savior Instagram) is within the office environment. And it’s definitely not just the Millennials who are guilty of the Social Media at work crime! The Bring Your Own Device (BYOD) trend is also becoming more and more popular, even within the traditionally conservative work environments (employees who get to work on their own laptops/tablets are said to be happier and thus more productive than the company devices-strained ones). While (according to Code42’s 2016 Datastrophe study) 87% CIO and CISOs claim that their companies have a clearly defined BYOD policy in place, a shocking 67% of knowledge workers (organisation’s end users) disagree (Infosec Magazine). When things go wrong and the freedom to connect/work anyplace, anytime compromises organisational security, it is the company that takes the hit.

At the same time, organisations often primarily rely on CXOs to deliver enterprise security, managing the increasingly sophisticated threats, in times when companies (and devices used by employees, often at work and at home) are being constantly compromised. This is not sufficient. All employees, across all functions, are responsible for securing the organisations they are part of. As highlighted by Gartner in the Managing Risk and Security at the Speed of Digital Business report, it is crucial for organisations to apply resilience to not only processes and technology, but also people. We cannot afford to overlook the ‘human’ element of security. Best practices include regular training and digital security awareness campaigns for everyone, as well as extending protections to company’s employees within their home environments (Gartner), in response to the blurring of the tech we use for personal and professional purposes, as well as the flexible work trend. Gartner proposes a ‘people-centric security’, which is about aiming for a perfect balance between protecting the company with the need to allow increased employee agility and adopt new and often risky new tech to stay competitive.

For now, it seems like ‘seeking’ a balance and regular employee education is the best companies can do.

Laptops and smartphones get and will get lost or stolen (whether in a club on the way to work). Data which is stored on or can be accessed through these devices can often be worth a thousand times more than the actual device. This is not an exaggeration; one obvious example being the infamous iPhone, which stirred the Apple-FBI encryption dispute. Moreover, the punishment doesn’t seem to fit the crime – charges for stealing a phone or a laptop usually fail to take into account the value of potentially compromised data. This is going to have to change in the future, especially when the devices we carry will store more and more data (not only confidential due to being work-related but also highly intimate, for example health-related).

Striving for the sweet spot between data security and taking advantage of the opportunities offered by the new tech/following the new working trends also means being clever about WHAT to protect. Not all data needs to be equally secure. As stressed by Richard Gale during ISITC’s General Meeting‘s security panel, companies need to focus on protecting their ‘crown jewels’. Utilising cloud tech and allowing employees the freedom to work flexibly won’t stop you from identifying and investing in protecting crucial data. Detection and response is yet another element which ought not to be overlooked. What would be the worst-case scenario and what your organisation do if the CEO’s mobile phone/laptop went missing? What steps is your company going to take if a Social Media app sends out phishing messages to employees? While it’s impossible to perfectly protect all the data, it’s worth having an action plan for when things go wrong.

Let your employees bring your own devices and go on, embrace the cloud – when doing so however, train, educate, invest more in protecting what’s most valuable and be prepared for when data does get compromised!

 

Talking about BYOD and training your employees about how to be digitally secure – a few months ago we shared a Cybersecurity Manual with 10 hands-on security tips, which you can read here.