The rapid evolution of computing devices has enabled 24/7 access to information and services almost everywhere. However, the abundance of technology has introduced a wealth of data security concerns that need to be addressed. The problem is that security measures impact the usefulness of data; too much will make systems unusable, while too little will make it too risky to use. A fine balance between the two is needed, but what does this look like?
Chasing the ideal
A good example of this balance can be seen in contactless bank cards, which enable us to pay up to £20 by simply tapping them against a reader without the need for a PIN or signature. The security measures in place are twofold. First, the maximum payment limit prevents criminals from spending huge amounts if you lose your card. And second, banks have made it easier to cancel a bank card and reimburse any money if it is stolen. The security aspects of contactless bank cards haven’t stood in the way of making them useable and their popularity is growing day by day.
Balancing act for businesses
So what can businesses learn from innovations like these? To properly decide what safeguards are needed, we need to understand that business data is incredibly valuable – a lost file could result in competitors stealing intellectual property, or the records of millions of customers being made public. For others, it can be a matter of national security.
The most security conscious organisations have authentication processes involving rigorous physical and electronic checkpoints which can take several minutes to get through. This means that even a simple toilet break can result in a significant amount of offline time. This is one extreme of the security spectrum – for the most secret data, it is warranted. Placed in a business context, often these types of controls would be totally unreasonable. Yet at the same time, organisations can’t leave the door wide open.
Don’t have it if you don’t need it
To strike the balance between security and usability, businesses need to implement solutions that support the way that we work. To do this, businesses should look at what data each user requires access to and only grant it to those files and directories. For example, an HR department wouldn’t necessarily need to use a customer data base so they shouldn’t be automatically granted access to it. Nor should data be allowed to be stored on unlicensed devices. This will alleviate the risk of file loss without affecting how those workers that actually need the data work.
Encryption for all
Controlling access is only one step. As pessimistic as it sounds, a data breach on any organisation is, given time, certain to happen. Businesses need to take a fatalistic stance when it comes to security – they should assume that they have already been breached and assess their options accordingly. Key to this is data encryption, which will make any stolen data unusable by an unauthorised user. This is perhaps one of the most effective security measures organisations can take, as even if an intruder accesses a company’s data, they can’t do anything with it. The importance of encryption can’t be understated. The Information Commissioner’s Office has been promoting the need for data encryption across the board, clamping down increasingly hard on organisations that are found not to use it effectively – or at all.
A lesson in security
Regardless of the measures an organisation takes, the weakest link will nearly always be the human factor. Consequently, it’s more important than ever that employees are educated about the risks that they take when using sensitive data. At a minimum, employees should learn basic security measures, ranging from choosing strong passwords to best practice when handling data or working on a mobile device.
In addition, companies should take the time to inform employees about everyday security risks. For example, there are several different phishing scams doing the rounds which are all engineered to extract valuable data. Informing employees about some of the tell-tale signs of phishing scams to look out for are a simple step to avoiding catastrophe. Ultimately, it comes down to the security department staying on top of the latest security threats, and sharing that information throughout the organisation.
Achieving the balancing act
Ultimately, security measures do not need to be overly complicated. Business level security does not need to obstruct usability, but that is not to say that it shouldn’t exist altogether. The best way to assess organisations’ security needs is ultimately to assume that they have already suffered a data breach and implement measures accordingly. Overcomplicating security will only obstruct workflows, but measures like data encryption, correct access privileges and worker education are all ways of striking the fine balance between usability and security.
By Chris McIntosh, CEO, ViaSat UK