It is evident that many companies are still not adequately prepared nor equipped to deal with the increasing consumerisation of IT and mobility of employees. This creates security gaps in business processes, increasing the likelihood and extent of data loss threats. As a result, there is an urgent need for companies to address these issues and take action to reduce the level of security and data loss risks that they are exposed to. Enterprises need to understand what and how endpoints are being used in their organisations, identify where and how their sensitive data is being stored and accessed, and establish criteria and data security policies to manage, govern and enforce compliance across the corporation.
How well prepared do you think most Asia enterprise IT managers are for this ‘new role’ and how quickly do you think they will be able to adapt to these challenges?
A majority of enterprises in Asia are still not well prepared for this ‘new role’ as there is a general sense of inertia to take robust measures. This is because monitoring is still considered a cost, which does not contribute directly to profits.
Also, the Symantec Enterprise Security Survey 2010—Consumerisation of IT study found that 100 percent of respondents surveyed have indicated that they are extremely concerned with the loss of confidential/proprietary data. Despite this, 66 percent of the respondents stated that they have not implemented any form of DLP (data loss prevention) system.
What advice do you have for senior IT managers relating to helping their enterprise, or department, to handle the digital mobility issue? What is the roadmap for becoming capable of doing this?
It is important for organisations to put in place protocols and policies to monitor, manage and govern the use of consumer devices and platforms within the workplace, and managing these consumer devices just like how corporate desktop and laptops are being managed. Several steps can be taken by companies to safeguard their interactions over mobile devices, including:
• Be prepared: Acknowledge that employees are going to want to download personal, as well as business applications, and deploy the appropriate protection and controls.
• Educate your employees: Provide guidance on ‘app store best practices’. Identify download sites that scrutinise published applications and those that don’t. Explain the importance of checking digital signatures before installing apps and why users should not ignore signature warnings or follow developer suggestions to disable validation.
• Deploy protection: Protect your endpoints against malicious threats and unauthorised access to sensitive corporate information.
• Set policies and control them: Enforce compliance with security policies to ensure that only secure, policy-compliant devices can access the network and email.
• Manage your mobile infrastructure: Managing complexity, while controlling costs, through automation is crucial to ensuring a mobile environment is productive, as well as secure. What’s even more important and critical is for organisations to establish and implement a sustainable DLP programme that effectively addresses evolving risk factors brought about by the consumerisation of IT and supports a culture of security. A comprehensive, long-term, sustainable DLP programme is based on:
• Threat coverage: Information has to be protected wherever it resides, whether at-rest, in-motion or in-use. This requires control points at multiple tiers (i.e. endpoint, gateway, network, back-end databases). Further enhanced compatibility with a cloud environment and Web 2.0 sites provides a more transparent Web experience for end-users that seamlessly prevents data exposure.
• Data Insight: DLP should help enterprises identify their most critical information and enable simplified data clean-up and remediation through automated data owner identification. Besides continuous monitoring and auditing of data usage DLP needs to ensure adherence with corporate policies and regulatory compliance.
• Business Process Integration: DLP must be incorporated into an organisation’s overall business process so that it is viewed as a business necessity, aligned with strategic goals, compliance requirements and risk management.
• Risk Reduction Measurement: Enterprises should define achievable and measurable goals and then regularly review progress against them and hold business leaders accountable for meeting them.
• Mature DLP deployments result in:
• Building a culture of security where everyone in an organisation understands their role in keeping information secure.
• Elevating information risk management initiatives to executive level discussions.
• Driving business units to define and prioritise their data loss concerns.
• Identify critical information & simplify remediation: Effective DLP solutions should include a unified platform that allows customers to create policies once, and enforce them everywhere to prevent confidential data loss across endpoint, network and storage systems. Integrated DLP technology helps enterprises align their information assets to business goals by simplifying the remediation of exposed critical data.
Sign up for Computerworld eNewsletters.