By Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance, BT Global Services
Part 2 of a 2 part blog
It is somewhat hubris in our intent to believe we can prevent end-users (permitted users) from finding ways to gain access to corporate data from their own devices. In part, this can be attributed to the demise of the eight-hour working day. We recognise that business requirements can surface anytime of the day, any day of the week. More and more frequently, companies expect their employees to be available “anytime, anywhere” to handle business needs; and those employees aren’t always in a position to grab their corporate computer and review a critical email or document. We need to be mindful that the enthusiasm with today’s end-user devices requires the ease of accessing corporate data — and the simplicity of carrying less technology resources with more power.
Hence, the education of the end-users regarding security issues is essential. No matter how good your policies are, the weakest link is not always a malicious user but often a well-intended user who takes the wrong route.
Build the right security policies, be flexible and work to provide the right blend of enablement so you have control over the critical assets of the business without stifling productivity. In many cases, a user who is not educated on process and policy, who in the spirit of trying to do the right thing, ends up exposing the company.
It doesn’t take a lot to explain why policies are in place and why they are important. Go beyond just stating, “this is our policy.” Instead, explain to employees why the policies are in place to ensure corporate data is protected. You can’t please everyone all the time, but when someone understands the rationale behind the policies, they’ll more likely stay clear of actions that could potentially harm the company and its assets.
As you develop and implement best practices to security network access, don’t forget the telecom side and the old “bricks and mortar” components of the business. Many companies are so focused on protecting their networks they forget that the more traditional “telephony” side of the business (phones, faxes and modems) present as much risk. And with the proliferation today of electronic gadgets, be mindful of refreshing (and reminding employees about) policies governing the protection of hard copies of documents and information, including hard copy plans, budgets, and paper notes taken during meetings. All too often, it’s these hard copy items that are mistakenly left behind in the seat pocket on an airplane or in a taxi or bus or hotel room.
And finally, it’s critical that you test your security processes on a regular, on-going basis. Find ways to monitor the environment to ensure that the right behaviours are taking place — and re-educate your employees continuously. Apply the right metrics to the businesses risk appetite and match that against the governance, risk and compliance aspects.
Use that data in your board level discussions to effectively raise hot spots and where focus needs to be placed. Such facts are the most valuable resource to ensuring security policies are continuously kept current within today’s business environment.
- Starting with the right agreement from a business perspective is key to obtaining appropriate funding and executive support for successful security policies
- Define your risk appetite and ensure you classify your data appropriately
- Having good policies in place enables you to drive best practices and know that as you make changes, they are applied in unison across the business
- Educate. Explain policy so you can achieve buy-in, measure expectations and continue to educate — “tools are fool proof, fools are not tool proof”
- Test your business practices, inspect what you expect on a regular basis and adjust to meet the changing landscape
- Look beyond the current issues to ensure you have the entire risk environment in focus.
Jeff Schmidt, Executive Global Head of Business Continuity, Security & Governance at BT Global Services, is responsible for every aspect of the security-related products and services BT offers its clients — from overall business strategy, through market research and solution design to delivery and support. Previously, he managed the security side of BT’s business in the Western United States where he had full profit-and-loss responsibility for the sales and delivery of networks, managed security services, consulting services and security software. Jeff has more than 25 years of experience in leadership positions in the information technology business, including positions with Home Savings of America (now a part of JPMorgan Chase), Lucent, the California State Automobile Association (AAA), Paramount Pictures, and InCode Telecom Group (which has since become part of Ericsson). He joined BT when it acquired INS in 2007.