How many times does your business need to make headlines for losing customer data? The answer should really be zero. The only organization that can survive high-profile data breaches is the federal government and that’s because more secure, more trusted competitors are hardly nipping at its heels. The situation is perhaps even more critical for small and medium businesses that rely on the trust and repeat business of a particular vertical, niche, or smaller pool of customers than a big bank or insurance company, for example.
Perhaps physical security is most often ignored because it seems so obvious, especially for SMBs. How secure is that server under Fred’s desk? How about the laptop that Joan left on the train? The phone that Sam left at the coffee shop? Or the flash drive that fell out of Carol’s bag?
Physical security is far more likely to be put in jeopardy by what employees take out of the office rather than by someone trying to get into the office, sit down at a console, and hacking into a server, Mission Impossible-style. Regardless, when Fran leaves her laptop open and unlocked when she gets up to use the airport lavatory, your organization’s next big product, a patient’s medical history, a student’s academic records, or a customer’s social security number might be at risk. In many cases, there aren’t just business consequences for these sorts of preventable breaches; there may also be legal and regulatory consequences.
Passwords. Group policies. Firewalls. Anti-malware. Hard drive encryption. Remote wipe. Multi-factor authentication. These all represent forms of logical or technical security. Keep in mind that confidential data on a PC or server may be as easily (or more easily) breached by a Trojan or some other sort of software-based attack than by a hacker trying to gain access to your network. In the same way, common passwords and overly permissive policies create opportunities for the bad guys to bypass the best of firewalls or the most stringent physical security.
Logical security is the most labor intensive because it requires consistent vigilance and regular updates to policies and profiles. If Stan makes a lateral move from engineering to sales, many of his access rights to share and applications in the engineering group need to be reviewed and/or removed; it’s all too easy to let such updates slip through the cracks.
If physical security is the most frequently ignored and logical security is the most labor intensive, administrative security is the most mundane. Yet, at least from an HR and labor relations perspective, it’s the most important component of security an organization can address. It also drives many aspects of physical and logical security.
Administrative security represents the policies, procedures, acceptable use definitions, expectations, and business rules that are implemented by IT staff and are carried out or complied with by end users. Everything from password complexity requirements to BYOD policies fall under administrative security.
Is the cloud the answer?
This section could also have been called “If it ain’t in my datacenter, it ain’t secure”, a common refrain from IT staff wedded to their on-premise solutions. However, organizations at least need to be considering private cloud implementations (if not hybrid or full public cloud solutions) to support employee access to data and applications. While the cloud isn’t a security panacea, it does tend to keep sensitive information off of local hard drives and devices and in secure areas over which IT staff have far greater control.