Last year, a number of high-profile security breaches compromised customer data and brand integrity. As a result, data protection has again risen to the top of the agenda for organisations with leading CEOs like Apple's Tim Cook and Bitcoin Reserve’s Sam Lee addressing the issue on a very public stage.
Preventing breaches in today’s increasingly digitised world is becoming more complex. As businesses look to boost productivity and flexibility through adopting mobile technology, employees increasingly work from a growing number of devices and locations using a variety of public and private networks. This new way of working opens new gateways for malicious hackers to exploit, while also exposing organisations to unintentional and accidental data loss.
CEOs can no longer afford to perceive data breaches as a ‘technical only’ problem, merely improving the tools and platforms managed by their CIO and IT organisations. They need to work with experts, such as their digital risk officer (DRO), to drive a systemic behaviour change in business process and company culture. They also need to adopt new policies and make strategic investments tailored to address and reduce digital risk.
Before an organisation can mitigate risk and protect their reputation, the CEO and DRO need to ask: what are the main threats that our organisation faces, and how can we mitigate risk?
The digital security threats that organisations suffer generally fall into two categories: malicious security threats, such as the deliberate theft of passwords, bank details or intellectual property; and unintentional breaches such as the loss of a laptop or smartphone. Protecting against both types of threat can be challenging in today’s business environment.
As IT complexity increases, IT departments have less insight into how systems are used and accessed, making end-to-end security across devices, network and applications even more of a challenge. Schemes like BYOD and flexible working, which are important in driving productivity, efficiency and morale, result in employees increasingly working from a number of devices and locations. Sensitive information can be leaked through non-malicious breaches such as the loss of non-encrypted employee phones and other devices. Remote connections, including home broadband and public Wi-Fi, are outside of a company’s secure network. And shadow IT services, like Google Drive, are used without the knowledge or consent of the IT department.
Taking all of this into account, it isn’t surprising that Vodafone research found nearly a third of IT directors see increased and more complicated security risks as one of the greatest challenges they face.
What do organisations need to do?
Threats will always exist. No matter what the organisation or potential threat, the highest priority is preventing any breach from happening in the first place. But organisations also need to ensure that they can mitigate a breach as quickly and privately as possible, minimising impact and avoiding serious consequence – customer trust is hard won, and even more difficult to win back after a breach.
To close the gap and drive end-to-end security, organisation should consider a three-pronged approach to security.
>See also: What is a true digital enterprise?
1. Take it to the top
Security must be a board level conversation and become part of the DNA of the business – it is no longer the sole responsibility of the CIO. Security can make or break customer confidence and retention, and carries serious compliance implications as EU Data Protection regulations become more stringent. Top CEOs recognise this shift. After the celebrity iCloud breach last year, Tim Cook posted a letter announcing the new security page on Apple’s website, while Sam Lee, CEO of Bitcoin Reserve spoke candidly about how his company was a victim of creative hacking.
2. Invest in prevention
As well as demonstrating the importance of communicating security policy to customers, witnessing some of the world’s leading technology innovators struggle to protect their organisations from digital threats has sparked a new appetite for increased investment.
With technology evolving so rapidly, new threats are constantly forming. Organisations therefore need to understand that the level of time and money invested in security should reflect the value of what they are trying to protect. Asking for budget to reduce risk, rather than visibly adding value to the bottom line, can be a hard sell. Organisations need to weigh the cost a breach could have on their business, assets and reputation against the often much lower cost of prevention.
3. People, processes and policy
People can be an organisation’s biggest asset in preventing security breaches. Organisations need people with the right skills, but also a keen desire to stay a step ahead of the evolving threat landscape. Once you have these people on board, invest in their continued development to ensure your level of security protection remains constant.
In addition, organisations must have relevant security policies and robust risk management processes. A strong policy can help companies make informed decisions based on the risks posed by, for example, driving productivity through a mobile workforce. Decision makers can then tailor security measures accordingly to prevent breaches. A strong policy communicated publicly via executives can also play a role in driving customer confidence and trust.
Policies should communicate clear boundaries for employees and establish organisational expectations. Risk management should complement this by providing a clear process for staff to follow in the event of a breach – rapidly addressing the breach and minimising damage.
>See also: The security case for going digital
However, simply having a policy isn’t enough. Engagement with HR is crucial in driving policy awareness through staff training.
Outside threats will always exist, and they will continue to evolve. The message is one of prevention. When implemented properly, security should be a business enabler, not a barrier to working the way you need or delivering innovative services your customers want. Be flexible in responding to the new challenges presented by innovation. Invest wisely in equipment, people and policy, and make data security a true enabler and one of your organisation’s biggest assets.
Sourced from Howard Pinto, head of technology security, Vodafone UK