When it comes to planning and executing projects to improve enterprise security, I find that IT security practitioners are frequently focusing on the wrong things.
First, don’t focus on computers and network routers when you should be focused on the data that traverses them. For example, are you putting the same amount of effort into protecting sensitive files downloaded on smartphones as you are into securing the backend file storage? It’s easy to be distracted by the latest technology “new toy” and to forget that any component, big or small, may or may not be your weakest security link.
By focusing on data flows and classification, you’re more likely to notice soft spots in your IT security defenses. The bad guys are doing the same thing: identify the valuable data that they want, look at every place that data is accessible, and go for the weakest one. Focus on the data.
Second, don’t focus on data when you should be focused on people. Personnel vetting, onboarding (welcome to the project) and offboarding (good bye) procedures, proper training – these things can all make or break enterprise security , and yet we routinely underinvest in them. Why is that? Well, they’re tough to quantify, and people don’t want to feel like their own organization is lacking trust.
The key is to remember that the whole purpose of file servers and data protection measures is to allow people to do their jobs efficiently and securely. People create and consume the data and are the reason the business has value. User-facing data loss prevention technologies can be implemented efficiently, professionally, and sensitively, given a moderate investment of planning and care.
By the same token that people are the critical asset for a competitive business, they are also the critical asset for enabling secure IT services. Learn more in the JW Secure article, Protect Your Business by Building a Security A-Team.