During these dark days, companies will need to look at ways to reduce overheads, be smart with their diminishing budgets and seek solutions that provide value for money, says Michael Callahan, Credant Technologies.
If the headlines are to be believed we are either already gripped by recession or its arrival is imminent, with even the suggestion of a depression skulking on the horizon. One thing that is certain during these dark days is that companies will need to look at ways to reduce overheads, be smart with their diminishing budgets and seek solutions that provide value for money.
Recent months have seen a number of high profile organizations fighting for survival, from redundancies within the financial sector, downtime on production lines in manufacturing, to major retailers slashing costs. All organizations, across all sectors – from small businesses to international conglomerates, are being affected by today's economic climate. Their continued existence will depend on them reducing their bottom line and tightening their belts effectively.
When a company needs to limit its spending, the first area to be examined, and habitually slashed, is its IT budget, often with the security element considered non-essential. While many businesses overwhelmingly recognize that security has the power to determine whether they live or die commercially, many remain frustrated by the strain it places on finances and human resources. The reality is that growing regulatory requirements demand enterprises protect data making such a cost-saving strategy risky and potentially damaging.
Learn from others expensive mistakes
Many an organization has fallen foul when, having taken the decision to deploy technology, it has then inadequately scoped the investment, instead restricting it to what it considers the bare minimum and failing to anticipate the implications of its deployments. No matter what type of software or device is chosen, security should be an important consideration to lock down both the device, and the data that's contained within it to avoid ‘hidden' expense. Taking a mobile device, as an example, the questions that should be asked are: the types of information it will be able to access and carry; and how easy would it be for the device to be lost or stolen. The answers will have a great impact on security concerns and risks and will dictate the type and amount of security needed for the device. Simple, cost-effective solutions, like boot-up passwords, two-factor authentication and encryption, can all play a role.
One publicized example of inadequate, or even shortsighted, investment is a Marks & Spencer's owned laptop that contained a database of its 26,000 employees' details that was stolen from a third party. Having taken the decision to invest in laptops, it opted not to take the precaution of sufficiently protecting those with sensitive data stored on them. The Information Commissioner's Office found Marks & Spencer in breach of the Data Protection Act leaving the retailer not only with its reputation tarnished, but also an enforcement notice to ensure that all laptop hard drives were encrypted – a modest investment in hindsight, which would have saved its blushes, not to mention the costs involved in handling the breach.
Many leading companies and organizations have already looked to decrease their overheads by reducing their property spend and energy expenses in downsizing to smaller, cost-effective premises. Redundancies are inevitable as workforces are slimmed down, with remote working practices a feasible alternative.
As department numbers decrease, the resultant increased workload for those that remain may force diligent employees to take work home with them to avoid falling behind or missing deadlines. Hot-desking could become widespread as companies strive to maximize their use of resources and cut costs by providing limited desks for their workforce, if at all - a drastic option could be to cut the cost of a central office altogether in favor of a ‘virtual' office. Another solution may be to utilize external resources, such as contracted labor, consultants, and possibly entire departments - IT support, HR and payroll are just a few examples.
Survival at any price?
While many companies try to weather the storm, data security must still be paramount. Privacy laws, along with corporate governance and industry-specific regulations, have become prevalent over recent years and ignorance, nor lack of funds, will be deemed as adequate defense. If organizations decide to lower their fortifications to allow flexible working practices, it is important that they do so securely and in a controlled manner. Here are a few ways for companies to examine what they currently have in their arsenal, and those that they really shouldn't be without:
- Mobile computing allows people to use IT without being tied to a single location. Any business with staff that work, or will work, away from the office can benefit from using it. Devices - from laptops and personal organizers to "third generation" (3G) phones - can help to keep in touch and make the most productive use of your time. They can change the way you do business and lead to new ways of working, even new products and services that can be offered to customers, bringing new business opportunities. Increasingly, networking "hot spots" are being provided in offices where multiple employees access the same machine and network. While this increases productivity and can reduce costs, it must be done securely. Data security advice from the Information Commissioner's Office is to encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen and only provide data access to approved personnel.
- With new technologies, it's not only easier but more secure than it once was to let workers log onto the company network from home. Having fewer people working at the office could save money on energy bills – this could be taken further and shut down the office completely one day per week and have everyone work from home, with further savings realized by shutting down the heating or air conditioning system. However, it is still imperative to secure the data as it leaves the office and travels home.
- Replace dedicated WAN links with site-to-site VPN. If your business has multiple physical locations and you have dedicated leased lines connecting them, it might be time to think about ditching the expensive dedicated links and replacing them with site-to-site VPN connections instead. Midsize and large businesses may be able to save thousands on monthly fees by doing this.
- Software application management (SAM) identifies installed applications, and then monitors their usage (or lack of) to determine compliance with software licenses, adherence to corporate usage and security policies. SAM is often perceived as a compliance exercise, yet the truth is organizations tend to underutilize licenses - typically 10-20 percent on dead, outdated or unnecessary application licenses. Reducing underutilized software has security benefits as well. Fewer applications means fewer opportunities for compromises and configuration errors. Also, the process of inventorying and auditing software usage often paves the way for additional control disciplines that cut costs and boost asset productivity.
- Outsourcing is a sensitive subject, often conjuring images of personnel cuts. Yet the reality is judicious outsourcing can allow you to better utilize existing personnel.
- Make good use of existing investments, advice that UK-based PA Consulting should have heeded when an employee decided to circumnavigate existing security procedures, transferring data unencrypted to a memory stick, in breach of the company's contract and its own security policies. The memory stick, containing a Home Office database of 84,000 prisoners, was subsequently lost and, as a result, it has had its three-year contract worth 1.5 million pounds terminated, with the Home Office further reviewing its other contracts worth 8 million pounds a year. Everyone within an organization must understand their responsibility for keeping sensitive information secure and how to use the available technology, such as encryption software, to do so.
- Fundamentally, effective security means doing more with less - it is about people, processes and technology. There are plenty of interesting technologies available although they're all useless if they're inappropriately deployed, managed and maintained. Allowing devices to operate in your enterprise without any rules or policies is truly the biggest risk. Complicated policies that regular users can't grasp are futile, instead they should be simple, precise and basic common sense. Often if people understand why they need to do something, then they'll do it. If all else fails look for something that can be enforced, often unseen, that takes the onus away from them.
In difficult economic times it is important to remember that the evidence of past downturns shows that those who make smart use of innovative technology will be the ones who live to fight another day.
What is encryption?
Concerned about the damage and liabilities of lost and stolen data, enterprises are turning to encryption as a backstop to prevent corporate and customer information from ending up in the wrong hands. In fact, data security advice is to encrypt any personal information held electronically if it will cause damage or distress if it is lost or stolen. Data security has evolved beyond simply securing “bits on disks.” To ensure data protection in today's dynamic IT environment, leading analysts recommend that security protects what matters most: the data.
Organizations need a data-centric, policy-based, centrally managed approach to data protection. One that doesn't complicate essential IT and user operations. A data-centric encryption solution simultaneously meets security, IT operations and compliance needs. Encryption can take place whether data is on a desktop, laptop, PDA or USB stick, and it's granular, so administrators can set policies to determine which data is protected and against whom. A data-centric solution uniquely protects individual users' data, without interfering with the other operational processes (upgrades, patches, etc) that need to be done, it protects against the internal threat and provides lower TCO.