Is Security Possible?By Eileen Feretic | Posted 2009-03-31 Email Print
Are we losing the battle to keep our information safe? It certainly seems that way.
Is information security a losing battle, or can organizations actually turn it around?
For our cover story, “Is Your Information Really Safe?” Ericka Chickowski spoke with consultants, researchers and IT managers to get an answer to that question. The response? Guarded optimism. The recommendation? Take an information-centric risk management approach.
The consensus among the experts interviewed is that technology, though a big part of the solution, is not enough. The other critical components are people and policies.
Let’s face it, people are a big part of the problem. And I’m not just talking about hackers, cyber-criminals and disgruntled workers. I’m also talking about employees who either don’t understand the importance of taking security precautions or don’t know what to do.
One of the surveys cited provides a good example: More than 88 percent of 2008 data breaches mentioned in the Ponemon study resulted from negligence. Not employee malice or criminal intent—negligence. Fortunately, that’s a problem that can be fixed with appropriate education and clear-cut policies that include strong, consistent enforcement.
Consider another statistic mentioned above: Of the people polled by Credant, 99 percent use their phones for business, and 80 percent store information that could be used to steal their identity. When employees use their personal mobile devices to conduct business, they create a huge security risk, as it’s difficult to control devices the organization doesn’t own. Here again, education and policies with an enforcement component can provide at least a partial solution to this problem.
Unfortunately, in times of tight budgets, there often isn’t money available for employee education. But, when it comes to security training, cutting back is false economy. The cost of recovering from one data breach was $6.6 million last year, according to the Ponemon study. Think how much security training you could do with just a portion of that amount. And think how much you could save by avoiding a data breach.
So, keep that in mind when you put together your security policies and technology initiatives. And don’t skimp on education. It may be the only way to win this battle.