In the 2012 Governance of Enterprise IT (GEIT) Survey by the Information Systems Audit and Control Association (ISACA), organisations in the Asia-Pacific region reported a higher annual incidence of security breaches than the global average and a considerable shortage of IT staff.
The implication apparent to anyone who reads this information is that without enough IT support, organisations can’t get a grip on security. Adopting this mindset that security is only as good as the number of IT staff you have, however, is risky and may give a false sense of security to an organisation. Businesses do not need to pay more IT staff salaries to effectively enforce security across the workplace. Rather, they can approach increasing security awareness from two angles. First, they can develop meaningful business policies all employees are able to embrace and understand to further the cause of improved security. Second, organisations need to be able to leverage the right outside help to consult them on the best security approach to suit their specific business.
Setting effective policies
According to ISACA’s survey, most organisations expect the second most likely network security threat to occur in the next year to be caused by an employee mistake. Yet many of these organisations have no set security policies outlining what exactly employees should or shouldn’t do to avoid comprising security. Changing employees’ behaviour doesn’t begin with hiring more IT staff to enforce security — it begins with enforcing effective user policies across the business.
Organisations can define user policies based on organisation-wide, departmental or individual risk profile to determine who should have access to which data, networks and systems, and what types of web sites and applications can be used on different devices. If you allow BYOD, you should have a list of approved apps. If you use a cloud computing service, you should have a list of who can access it and who can’t. You should also consider providing lists of banned web sites and providing guidance on which corporate data can be accessed via VPN when employees or offsite.
Once you’ve established what employees should be able to do and have access to, you can then set the procedures for maintaining security and determining what happens in the event of compromised systems, devices or data. Consistent education for current and new employees will help your newly-defined security policies and procedures become engrained in the culture. Security awareness should be a part of every employee’s induction, where practical examples are used to demonstrate why policy, procedures and good security practices are necessary. Ensuring employees know who or where to access meaningful security advice and guidance is also useful. Security refresher workshops should be conducted annually for all employees and updated to reflect the changing threat landscape.
Enlisting the help of outside experts
It is unlikely you can invest enough money to completely secure yourself if you are connected to the Internet and external networks. So you need to understand how to make sure every dollar spent is spent wisely to get the best value from your security investment. Seek independent advice from a product-neutral expert — even better if it’s a consultant or company that has a background in high-level cyber security in areas such as government.
This advice will help you understand your security posture and keep up-to-date on its evolution completely irrespective of specific security products that might not fully protect your organisation. An independent security review can help organisations deep-dive into their security architecture to get an objective view of their needs and identify gaps. This type of customised, independent advice might also include certain tests, such as vulnerability or penetration testing, to ensure you really are protected from the latest cyber threats.
Remember that no one single person will be able to cover your organisation’s attack surface and the entire threat landscape. Rather than worry that you don’t have enough IT staff in place, draw upon your current department resources to help draft and enforce policy and educate employees. Remember, too, that drawing upon external advice can help your organisation get the overall security picture it needs to prevent future threats.