To address the rapidly changing nature of threats, organisations need to think about security differently. Traditional security is no longer doing the job – businesses need a solid framework and layered system of defence to address today’s challenges.
In order to change the thinking around security, businesses must assess, transform, manage, and optimise security investments – existing security approaches are too fragmented, impose too many restrictions on users, and don’t give a holistic view of the situation.
John Mc Loughlin, MD of J2 Software, says the first step is to address what the vital security priorities are, and what needs to be secured immediately. These would include the company’s most crucial information and data, applications, identity and access, endpoint and of course, the network.
To protect the most sensitive and important information, a business must first decide which information can be collected.
“The company must also bear compliance in mind, and be aware of how data can be stored and transmitted. Once this has been established the business can decide which security practices must be applied,” Mc Loughlin explains.
Protecting the important data also requires a new focus on the business processes – risk must be managed, and compliance maintained. Mc Loughlin says companies need to figure out how to prioritise security investments; that this must be based on business risk measures, and how to keep security spend under control, while still being compliant with industry regulations.
Once a plan is in place to secure the most crucial data, risk will be better controlled, and compliance aligned with the business processes.
The burgeoning trends of BYOD and BYOA also present an opportunity for companies to examine their current, and very likely outdated, IT architecture. The business value always lies in the data, not the devices themselves, so organisations should concentrate on managing the applications and the data – securing the device alone is not going to do the job, says Mc Loughlin.
“Include IT, sales, HR and legal in the conversation around mobile strategy. Learn about, and get visibility into, the apps and devices that are coming into your business via your employees. Have a mobile policy in place to enforce security across these apps and devices.”
Companies must also look at securing endpoints, and not just the mobiles. The management of these should be centralised, with all endpoints consolidated for a single view. Security must be able to move with devices, and all endpoints must be secured – both inside and outside the firewall.
Ultimately, all businesses want to prevent breaches, intrusions and of course the loss of sensitive information. One way of doing this is to enforce a principle of least privilege and standardise and automate access. This requires a mixture of good governance and best practices, as well as technical, concludes Mc Loughlin.