Traditionally many organisations were of the opinion that security breaches were something that only affected ‘other’ companies and would never happen to them.
However, as an increasing number of high profile hack attacks and virus outbreaks have received extensive media coverage, this belief has had to be readdressed by all organisations.
The need for basic security has now been universally accepted with almost every organisation having some form of IT security in place. However, less than favourable economic climates and ever-dwindling budgets mean that many organisations never invest in anything more advanced than an anti-virus package and a firewall solution. In fact, companies need to stop looking at security as a purely preventative measure and realise that it can actually be a business enabler, but recognising the real benefits that more sophisticated solutions can bring to business seems to be eluding many organisations. So where do the opportunities lie and how can organisations make a wiser security investment which will further business and keep the board and shareholders happy?
The slippery slope
It stands to reason that when money is tight, investment is hindered. This is especially true where security spend is concerned, especially over and above tools viewed as the absolute essentials. As budgets are cut, any further investment in security is finding itself firmly on the corporate back burner.
The 2003 Ernst and Young Global Information Security Survey found that spending on technology, education, training and infrastructure to support IT security is slipping further down the priority list. More than half of the companies questioned cited insufficient budget as the main barrier to adequately protecting their information. In addition, the survey revealed that the budget that was available wasn't being put to its best use.
The business case for security
The way organisations work is fast changing. Technology has provided businesses with a plethora of ways to communicate, operate and transfer information like never before. In order to keep up with the competition, companies need to implement the latest working procedures and practises. Security needs to be viewed as part of the bigger IT picture to help it do more and operate more efficiently.
Mobile working and remote access have been widely welcomed by employers and employees alike. Company bosses are won over by the extra productivity it can bring to business and the workforce is attracted by the added freedom and flexibility it enables in doing their jobs.
Whilst the mobile working revolution provides organisations with ease and convenience, it can have serious implications for security and information integrity which cannot be ignored. In order to do their jobs outside the office, employees often need to download vital, confidential company information to their laptops and PDAs.
Remote control
Due to their size and portability it's all too easy for wireless devices to be lost or stolen. This means that at best you have just lost an expensive piece of kit which now needs replacing, but at worst your private company information ends up in the wrong hands.
In order to enjoy the advantages of remote working, organisations need to ensure that the infrastructure is properly secured. It's all very well rolling out laptops and PDAs to your employees, but without adequate security any potential gain from implementing mobile working may be lost along with your private company data.
Security solutions specifically designed to protect wireless devices are enabling organisations to enjoy mobile computing safe in the knowledge that security isn't being sacrificed. Even in the event that the device is lost or stolen, it becomes useless to an unauthorised user.
Laptop encryption and PDA security achieve some of the fastest and easiest improvements to security and this in turn has positive effects on business. For example, with single sign-on and application launch control features, you can deliver both productivity and security improvements, enabling your business to take advantage of the latest technologies, such as GPRS, in a secure fashion.
Consequences of mobility
With an estimated one in every 14 laptops stolen in 2001, company bosses cannot afford to skimp on mobile security. According to CSI and FBI surveys, the average damage to data resulting from the theft of one single laptop amounts to approximately $80,000. On the face of it this figure may sound exaggerated, but when you consider the kind of information commonly stored on wireless devices and the consequences of losing it, it's easy to see how the losses add up. For example, loss of hardware, financial information and business plans, not to mention possible civil action should customer or supplier information be compromised.
Organisations have a legal obligation to adequately protect the data it holds at all times. The bigger the company the more information it has to protect and the more it stands to lose. The cost of investing in mobile security is far less than paying out for the consequences of a security breach.
Do more with less
One key business enabler of security is that it can reduce spend on equipment by allowing users to share hardware such as PCs and laptops. Security solutions are now available which means organisations can protect certain files or folders on the hard drive to ensure that only authorised people within the company can access certain types of information. Therefore each employee or department can access only what is relevant to them depending on what authorisation rights have been set. Not only does this ensure that only the right people can view private company information, but it also enables desk-top switching and multiple use of equipment, meaning less financial outlay on hardware.
Being able to control who within an organisation has access to what information goes a long way towards ensuring that your business remains confidential. Opening up your systems to improve business procedures, to make operations more transparent and user-friendly, must be done wisely.
Be smart
The financial, retail and telecommunications industries have been benefiting from smartcard technology for a number of years, however its potential for enhancing security within all organisations is being recognised. Gone are the days when usernames and passwords were the mainstay of security. We all know the vulnerabilities of such traditional security measures. Passwords are often written on post-it notes in pride of place, 'hidden' under a keyboard or blatantly attached to the monitor.
Implementing a smartcard solution protects information using strong two-factor authentication by use of something you have (the smartcard) and something you know (a password or PIN). As a result, increased protection and stronger access control is guaranteed. In addition, through the use of this technology, IT costs can be reduced and secure flexible IT made available to more staff. Smartcard technology could also be implemented to offer secure email and digital signing which improves the security of electronic communication.
Selling security
The above goes to show that by implementing the right technology and solutions, security actually enables business processes. Moreover, it enables better business by allowing new working arrangements, raising productivity and therefore ultimately increasing revenue. By using security you can allow your company to work in the way it needs to rather than the way IT 'allows' it to.
So how best to get the board to sit up and take notice when it comes to security investment? The major concern for most, if not all organisations is the bottom line and being able to survive over the competition. Security solutions which aid business will undoubtedly make for a better performing company all round. Being able to take advantage of the latest technology and working procedures is the key to ensuring competitiveness in an overcrowded market and the board must recognise that security is a true business enabler.
Jackie Groves is UK managing director of Utimaco Safeware AG.
