It has been a testing time for economies around the globe and, although many countries seem to be recovering, there are many voices warning of a double-dip recession.
It is therefore unsurprising that financial directors are employing caution and continuing to grip the corporate purse strings tightly, limiting spending to the ‘bare minimum’.
Unfortunately this scenario leaves many CISOs with the unenviable task of securing data whilst under the pressure of constrained budgets. Result : a timebomb waiting to go off and, if you listen carefully, you can hear it ticking.
How have we got to where we are?
Whilst reduced spending may be good for the company’s balance sheet, often data security has been the trade off. Let’s look at the evidence:
- Companies now have tighter budgets and yet are working with far less staff.
- More hours less pay – is now the mantra!
- Mobile and remote working has gained in popularity.
- Companies are faced with the unenviable dilemna : to get the job done they must embrace this mobile practice, yet this practice poses serious threats to data security which are costly to address. So ultimately the question becomes one of whether the gains are worth the risk with smaller budgets?
Only you can answer that for your organisation but there are few who really feel they have a choice. In fact, a survey conducted by Credant this summer confirmed that mobile working is very much a reality and few organisations are prepared:
The “mobile habits, leisure and security” survey revealed that more people than ever before plan to holiday with a laptop in 2010 with 64%, an increase from 33% two years ago, confirmed that they will take their laptop with them for work, however a staggering 66% revealed that their device will be unencrypted and 51% of these won’t even be using a password!
The well documented implications of failing to comply with data privacy regulations, such as Sarbanes Oxley or the Data Protection Act, are just the tip of the financial iceberg.
Lost revenue from reduced customer confidence and the price of rebuilding a damaged brand are often incalculable and can be insurmountable. I would argue that the RIGHT solution is priceless - that said, it isn’t free!
Where do we go from here?
The best way to secure data is to keep it locked away on the corporate network and NEVER allow anyone access to it. Now, if your organisation can operate like that then fair play to you. Back in the real world that’s just not a viable option.
The reality is that there will be a magnitude of people within your company that need access to sensitive data in their day to day activities. As we’ve established, they won’t always be within the safe confines of the building, so it is a given that your data has been, and will continue to be, transported beyond the walls you’ve built to protect it - whether made of brick or fire.
The stance you need to take is mitigating the risk this presents whilst enabling business to continue unhindered.
Today, there are many encryption products available offering the promise of data protection and compliance. However, the reality is that attempting to deploy a single ‘point’ solution to meet all needs can pose more problems than it solves.
While some encryption products address the issue of protecting data on particular devices or for particular users, it fails to incorporate the full security landscape of your enterprise.
The truth is, in your heterogeneous environment, plugging one gap just leaves all the others wide open. To be truly secure you would then need to look at each and every way data is stored and transported, and then employ a solution for each.
It’s immediately clear that the expense of this approach is potentially massive – not only in purchasing, deploying and trying to manage all these disparate systems - but the margin for error is also huge, often resulting in an ineffective solution due to poor manageability, and a lack of interoperability with existing IT tools and processes, thus rendering the investment redundant.
I would also argue that to prove compliance without the benefit of a single, integrated management and reporting framework is extremely difficult if not impossible, so you could never be certain a breach wouldn’t occur anyway.
In summary, you need to be canny if you’re to negotiate your way through the security minefield on a budget. But you needn’t do so alone. Here are five basic requirements that will help you select the right solution to keep your data from harm:
- A security solution for a mobile workforce, should be centrally managed and policy based for maximum control, ensuring encryption can be addressed on all devices and for all users, so that the data your staff carries is protected
- A solution should be adaptable to encompass every device currently utilised by your organisation e.g. desktops, laptops, handheld devices and removable media, but also the unknown devices of tomorrow
- A solution should provide flexibility in the way the data is encrypted, e.g. hardware based full disk encryption or software based full disk encryption
- A solution should be as transparent as possible to the end user so they’re not able to disable or bypass the protection
- A solution should provide seamless protection without slowing the device or hindering the user.
It is unrealistic to simply stop spending money on security and expect to remain secure. However, by thinking outside the box and purchasing a solution that does the same you can keep the financial director happy and your data secure.
Bob Heard is Chief Executive Officer & Founder, Credant Technologies