Businesses are often encouraged to take risks. These can fuel innovation, excite customers and set them apart from competitors. However, while many parts of a business may benefit from occasional risks, security is one area that businesses cannot afford to compromise. While trying something new should be encouraged, this should only be done when it can be assured that company and customer data won’t be exposed.
One example is the old-school belief that security is best done by building a wall or perimeter around an organisation’s data assets and communication mechanisms. This idea is a misconception in the digital age, perpetuated by the tendency to ignore anything but central business goals. Given that hackers are also acting as start-ups, making money from the weaknesses of others, a significant security breach is, at some point, quite likely to happen. Criminality is part and parcel of the digital world, and it is naive to think otherwise.
While board executives should be applauded for thinking about taking a different approach, there are certain parameters than any new policies should stay inside. Security shouldn’t be treated once and then forgotten about. Below are five considerations that should be made when compiling security policies for the digital world.
1. Understand that data can exist anywhere
In order for a business to protect itself, it should first conduct a data sweep to understand what data it has collected or produced and where the most sensitive parts of that data sit. Once identified, a business’ biggest focus should be on protecting that data itself, rather than a perimeter-first approach. Data breaches will occur, so the best form of defence is to protect the data through techniques like encryption and key management to create a scenario called a ‘secure breach’. With the data encrypted and unable to be decrypted by an unauthorised person, it becomes useless to any one that may have taken it.
2. Deploy technology with a security-first approach
In order for security to be effective, it needs to be built in from the start. Deploying security from the first stage creates a secure environment from the start and also means it is easier and cheaper to integrate then further down the line.
3. Have a breach response process
There aren’t just financial consequences if a breach happens, but reputational damage can also occur. Customers will lose confidence in a brand following a data breach if they feel the company didn’t have the security in place to protect their data or wasn’t aware of how the data was taken in the first place. Companies firstly need to integrate existing security protocols and then communicate that no data can be accessed. Those that can ease customer fears that their data is safe, will go a long way to maintaining customer trust.
4. Educate stakeholders at all levels
Businesses need to start focusing on educating every level of their staff on the protocols and steps they have in place to protect the companies’ sensitive data. A business’ security is only as good as its weakest link and hackers will target staff in an attempt to gain access to the system. In order to stop this, those in charge have to ensure every layer of the workforce understands how to protect themselves, such as how to spot phishing scams and what two-factor authentication is.
5. Put the CEO in charge
Security must now be a boardroom issue and not something left to the Head of IT. CEO’s need to understand the security protocols they have in place or what they need to have, as they are the people who are supposed to lead the company and will always be held responsible should a breach occur. A company’s mindset on how it approaches security ultimately comes from the top down.
Such principles can’t be ignored. In essence, businesses need to be able to react to security issues in the same way as other ‘unexpected’ business events. There are comparisons: water providers need to constantly monitor flows to ensure quality; fleet managers and airlines need checks to assure the safety of their cargo; and in the digitally-enabled world, all businesses need to keep constant tabs on their data, where it is and who can access it.
This shouldn’t be too difficult, but security will remain a challenge as long as it is treated with the wrong mindset, or completely ignored. To hope security can be left by the curb is not good business practice, it is blind optimism. And to deny this is the case is to deny the role that data now occupies in our businesses. Yes, companies need to take risks but to gamble with their core assets, which are now an essential part of success, is a step too far.
Whether it’s education on how to spot phishing scams or what two-factor authentication is, a business’ security is only as strong as its weakest point. Following these five steps will ensure that security becomes everyone’s responsibility and avoid these risks being taken.