Pragmatism versus paranoia

There is a fine line between the two when it comes to corporate security, says Kurt Roemer

Kurt Roemer: Data distribution becomes a concern when we think about the changing culture

“Treat all employees as a threat and all data as insecure.” We have heard that before.

Businesses perennially fail to address risk and security. I would argue that a wholesale change in the fundamental approach to security is required if businesses are to reduce the risk presented by end users. The first step in making this happen is to assume all end users present a significant risk.

This is not to suggest all ­ or any ­ employees are criminally motivated. Rather, it acknowledges human error is the weakest link in the chain. With the HMRC data loss, in which 26 million personal records were lost, the responsible way to handle the
data would have been to assume anyone is capable of losing a CD. Yet data was written to CDs and passed around by courier.

But this kind of practice is not the exception.

Employee security lapses happen for many reasons. Sometimes, it is just more convenient to ignore security to get a job done. Often, the security needs of the data in question are not well understood. And people make mistakes.

As businesses, we have taken the most sensitive data of the company and placed it on a disk somewhere. Initial access to this data is controlled via an account and password (or even stronger authentication), but after the keys have unlocked the data store, the treasures within this data store are available. By tightly controlling access, businesses have put all of their employees in charge of security.

Data distribution becomes a concern when we think about the changing culture in many organisations. People increasingly expect to be able to use mobile devices such as smart phones or the BlackBerry, and if the company will not supply to them, they buy them anyway.

Hackers exploit the open wireless networks used by employees working from home or from public access points. Yet 100 per cent secure is 100 per cent unusable. Organisations have to be able to find a way to provide security for these types of
situations but make it a benefit to the user.

Virtualisation can solve the expensive problem of gathering data that was outlined earlier, because the information stays in
the datacentre. If users want to take information home and work on it they can, without data ever leaving the network.
By having an isolated environment to run applications, if you had a crash or an issue with one of those environments, you are not affecting anything else. You can have different configurations that the IT department defines, and it allocates resources according to a category of user.