Social networks are posing a massive security threat to companies worldwide as malware and spam increase. With Twitter, MySpace, Facebook and LinkedIn becoming essential business tools, preventing staff from accessing these networks is no longer a solution. Companies merely have to apply sound security measures to ensure they are protected.
Events across the globe over the past 18 months have seen internal information security breaches escalate to an unprecedented level. As the complexity of data and the ease of access keeps increasing, companies have a golden opportunity to push information security to the top of their agenda to protect their information assets and the privacy of their electronic identity.
As the largest social network, Facebook poses the greatest threat, especially considering its privacy rules that encourage users to share their information with everybody on the Internet. Furthermore, today's networks are highly dynamic, new technologies add complexity, and the number and type of applications and systems on networks continue to grow.
Information security risks multiply in number and scale as attackers become more sophisticated. In addition, employees and contractors come and go, while customers and business partners demand ever more online access to applications, breaking down traditional barriers and enforcement points. Security specialists focus more time, energy, and budget to protect sensitive corporate resources, yet network breaches continue to occur.
While networks are increasingly dynamic, most security systems remain dangerously static. These systems do not always understand the context of the networks they protect, leaving administrators to sort through a growing number of alerts. These systems require constant manual tweaking and tuning to address changing threats and network resources. Furthermore, they lack an understanding of who is using the network and which individuals are affected by security incidents.
"With the ever-changing environment in which business is conducted, it is more important than ever to ensure that information is protected and risk is minimised. Information has become the lifeblood of the modern organisation, information drives business. Without it, business dies," says local IT security specialist company J2 Software CEO John McLoughlin.
"This is further displayed by the growing number of high-profile information security breaches around the world. This is not a problem which is only resident in industrialised nations, but it is relevant to everyone, specifically those in developing nations. These breaches cost millions and can destroy any organisation."
There is an explosion of Internet connectivity and accessibility across the African continent, exposing more and more new global Internet users. These advances have brought about great opportunity, but along with it is the rise of even greater risk and potential for exploitation. This risk is to be felt by both the new unsophisticated individual user, and specifically, users within corporate or governmental organisations.
There are ever changing risks and strategies to get users to part with sensitive information, and it is essential that these risks are mitigated in a systematic manner. It has therefore become a requirement for everyone to create the correct environment where all staff are empowered to be the guardians of information.
The objective must be to identify the challenges that organisations face and implement all possible solutions to mitigate the risk that the human factor poses in an organisation's information security strategy.
"It is critical that ICT governance, risk and compliance (GRC) become a part of the very essence or DNA of any organisation. This will ensure long-term information security and business sustainability," he stresses.
Globally, there are continually new laws and governance codes being introduced. It is therefore imperative that regulatory compliance is seen as an opportunity to increase an organisation's competitive advantage and should not be seen as an inhibiting factor.
Achieving top level executive buy-in is the key to a healthy information security environment throughout the organisation. This will only work with a tailored, user-friendly and 'live' information security policy document enforced via a combination of automated electronic tools.
According to a number of recent studies, the 'Insider Threat' has loomed to become the most feared information security risk in most organisations today. Regardless of the technologies and software solutions that an organisation may deploy to mitigate the risk of information security breaches, the critical factor is always people.
The only solution is to build information security into the DNA of the organisation and its employees – "making your people the guardians of your information".
"Working with large and small organisations in various sectors, including distribution, precision engineering, pharmaceutical and financial services, it has become evident that only a relatively small number of people are maliciously or intentionally non-compliant with a company's IT security policy. In the majority of cases it is found that non-compliance results from unintentional ignorance, often fuelled by unsupervised or misguided use of computers," he adds.
Today, the time is right to discuss the major challenges that managers face when attempting to uphold their information security and compliance strategy; it is the perfect time to share experiences and solutions in an aim to help overcome the complexity of these issues.
Building information security into the DNA of any organisation is the key to achieving compliance and mitigating risk, but it also presents the biggest challenge, especially for large and complex organisations. Even in organisations where other aspects of security are paramount, eg, national security in defence environments, the internal regulation of information security policies can prove to be more difficult to enforce.
The buy-in process needs to start at board level and then progress down to the general employee level. Achieving this is not easy and the challenges differ according to the level of maturity of the organisation. Work still needs to be done at board level to change the attitude that compliance costs money and is akin to buying insurance. If nothing has happened, why buy more protection?
There must be a balance between business risk, business operations and business competitiveness. This also requires the organisation to use tools that are proactive as opposed to reactive. Responsibility for compliance should be uniform throughout the organisation, but the supervision and monitoring of such compliance must not be delegated too far down the chain.
Driving down the cost of compliance is not only the key to competitive advantage, but also to compliance being taken seriously and becoming part of a cost-effective executive risk management strategy. If compliance is too time-consuming and complex it will be ignored or short cuts will be taken.
Compliance must be turned into competitive advantage whereby the opportunity cost of being compliant is vastly reduced. In order to help achieve this, compliance roles should not be separate, but should be seen as business enablers, integrating the compliance needs of audit and IT and communicating this at a board level.
He says unseen risks cause damage and unfortunately, one cannot manage what one cannot see. "This is a simple phrase to keep in mind when implementing the governance, risk and compliance strategy. Incidents will inevitably occur regardless of effective security measures, but ongoing proactive automated enforcement, staff education and end-user buy-in will minimise the likelihood and impact of unforeseen risks."
When information security is embedded into an organisation's DNA, compliance not only involves observing the formal rules as laid out in the policy, but also includes observing the informal rules governing circumstances that may not be anticipated. Observing these informal rules will demonstrate that security is well and truly embedded in the organisation's DNA.
"Once this process is initiated, a simple but effective test of how well security is embedded into the DNA can be illustrated by leaving a confidential document on the floor in a common area to see how it is handled by passing staff. Employees must be confident in handling situations where they may not have the familiar security parameters around them and the informal rules or corporate morals will kick in automatically," he concludes.