• December 10, 2020
  • Catagory Data Protection

Not all business information is sensitive data

By : Justin Folkerts

The trick to protecting sensitive data is understanding not all business information must be protected.

Even organizations that understand the need for robust information security spend heavily on software and hardware without measuring its return on investment (ROI), only to still fail at safeguarding the most sensitive information that’s the lifeblood of their business because they failed to define what it is before apply security controls.

If you want to adequately protect your most valuable data, you must understand which business information is most critical to your bottom line.

Not all data is equal

It’s seems counter-intuitive, but the reason information security often fails to protect sensitive data is the mistaken belief that all information must be protected equally. Even before the pandemic and remote work became the norm, distributed workers, branch offices, mobile devices, and the evolving Internet of Things (IoT) meant organizations have had to become smarter about how they secure sensitive data. Now it’s more important than ever to make the business case for information security.

The business case isn’t a request for a bigger information security or more technology. Rather, it’s about identifying sensitive data, understanding its value, and being clear about what’s necessary to protect it. You need to operationalize a change in mindset that delivers ROI and protects the sensitive data that powers your business.  However, it can be difficult for organizations to step back and understand what data is the most valuable when it’s growing exponentially.

One thing is for certain, however: Trying to protect every single bit of data equally isn’t cost effective.

Sensitive data must be defined to be protected

If organizations are to marshal their information security resources effectively, they must narrow their scope and define what constitutes sensitive information. While the definition can be guided by compliance and regulator obligations, it’s just as important to figure what data constitutes as a critical asset to the business.

Just as a fleet of trucks are critical assets for a transportation company, every business today has stored information that is critical to daily operations—that’s the sensitive data that must be protected. Otherwise, there are financial repercussions in the form of lost competitive advantage and fines for non-compliance, both of which lead to lost revenue, as do settlements from litigation and damaged reputations.

While compliance obligations and privacy legislation do dictate that some information be prioritized by information security strategies, they’re just the beginning. A healthcare organization that may have all their patient data effectively secured but not have all their research data protected—it’s just as valuable as it may support patent application or attract grant money, and has the potential to generate revenue. Personally Identifiable Information (PII) is always an obvious candidate for protection because compliance and regulatory frameworks deem it as sensitive, but intellectual property or data that’s essential to running your business is just as critical.

Treat sensitive data like a business asset

If you want get ROI from your information security spending, you need to think differently. You must understand your data on a deeper level so you can assign a value to it. There’s plenty of information residing in your organization that won’t cripple your organization if it’s lost. But your sensitive data must be assigned appropriate valuations that will be the of a business case for information security spending.

Getting an ROI on your information security spending is about anticipating incidents that haven’t happened yet, much like an insurance company considers the likelihood of natural disasters. To determine sensitive data and its value, you must weigh the cost of the protections you put in place with the financial impact of any breach and its likely frequency.

The simplest approach its to categorize data in three ways: data can be shared freely; sensitive data that can be shared with certain audiences in specific ways, and data that must remain confidential to the organization and never shared. The process of segmented and prioritizing data enables to apply the appropriate information security controls, so you understand the complete lifecycle of all data and adequately protect it based on the repercussions of losing it.

Treating sensitive data like a business asset enables you to make the case for information security so ROI can be effectively measured so can protect these valuable assets as you would any other important investment.

  • October 29, 2020
  • Catagory remote work

Improving security for remote workers should be a priority for IT teams

By : Sanjeev Spolia

Improving security for remote workers will hopefully be an inevitable consequence of the Covid-19 pandemic, and despite the inherent challenges, it should be a priority for IT teams.

Recent reports by Cisco looking at the future of secure remote work and consumer privacy found that IT buyers had been caught off-guard by the sudden shift of employees working from home, but are now speeding up adoption of technologies to support remote work. A majority of the 3,000 IT decision makers surveyed by Cisco rate cybersecurity as extremely or more important than it had been before the beginning of pandemic.

Guaranteeing access, securely

The biggest challenge for all IT teams regardless of an organization’s size has been improving security for remote workers, although providing the necessary access to the applications and data they needed came first. It comes at a time when the average consumer also values security and privacy as a social and economic issue, according to Cisco.

However, the company’s own research found there was a lot of work to be done toward improving security for remote workers by IT teams as just over half were somewhat prepared for the accelerated transition earlier this year. Endpoints, including those owned by organization, were cited as being the most difficult to protect, according to the Cisco survey, followed by customer information and cloud systems  with the ability to securely control access to the enterprise network being the biggest challenge.

Improving security for remote workers will no doubt continue to be an priority for IT teams, even post-pandemic, as some employees will continue to want the flexibility of working from home and organizations see continued benefits, including cost savings on office space, by not having everyone in a traditional office environment.

Digital transformation can lead to a more secure cloud infrastructure

While IT teams are likely to see some budget increases that will specifically support improving security for remote workers, there are many initiatives that can help improve overall cybersecurity posture for organizations that are already common steps in a digital transformation journey.

If you haven’t already, you should establish a cloud security strategy that’s part of a broader transition cloud infrastructure transition. This will indirectly go toward enhancing security for remote workers while allowing IT teams to have to worry less about on-premises systems that were unprepared for the sudden shift to remote work. While putting more applications and data the cloud come with their own cybersecurity challenges, they can scale better than on-premises solutions and provide the necessary flexibility for supporting a remote workforce.

The transition to the cloud should also include embracing new tools to stay secure, recognizing that IT teams still have some responsibility for securing cloud applications and data, even as the service provider has a role in securing systems, too. IT teams need visibility into cloud infrastructure as well as their on-premises deployments in a single interface.

At the same time, IT teams should consider what experts are calling “zero-trust security strategies.” A zero-trust approach assumes all users and endpoints could present a threat to the organization, so they must be able to prove they are trusted if they are to gain access to the enterprise network, applications and data.

You can be small and secure

For smaller organizations, improving security for remote workers is just as essential but can be challenge for their IT teams. A managed services provider with experience helping small and medium-sized business with their technology infrastructure can play a key role in accelerating their adoption of solutions that can support remote workers with robust security.

Sanjeev Spolia is CEO of Supra ITS

  • October 15, 2020
  • Catagory cybersecurity

Cybersecurity Awareness is Everyone’s Responsibility, Especially in the Remote Work Era

By : Sanjeev Spolia

The shift to remote work means cybersecurity awareness across your organization is more important than ever for maintaining ongoing business operations and regulatory compliance.

Even before the pandemic, most organizations had become rather porous in nature from a network security perspective thanks to the Bring Your Own Device (BYOD) movement, adoption of cloud computing, distributed locations, and an already increasingly mobile workforce. But while security technology has emerged to keep up with these trends, it’s not a silver bullet. Every employee needs a heighten level of cybersecurity awareness.

Remote work means that how an employee manages their device at their home office can have an impact on the organization’s entire network. Their cybersecurity awareness means understanding their workstation is an endpoint that must be configured properly as to contribute to the overall security posture of the organization.

Training is critical to maximize cybersecurity awareness amongst your employees, especially remote workers. But it’s easy to lose their attention if training isn’t clear and engaging. If you’re doing regular phishing tests for your employees, try to have a sense of humour with the email content you’re creating as part of the test, for example, but also make sure employees understand the lesson without being made to feel stupid.  

Cybersecurity awareness training should be done regularly as part of regular operations, and at least quarterly, rather than being big annual event, because threats to the organization are ongoing as hackers automate their processes to optimize their chance of success. You should also involve the executive team in your training, so everyone understands that cybersecurity awareness is critical to the success of the business. You might have the CEO do a short video, which is easy to share with remote workers.

The training shouldn’t be solely the responsibility of the security team, either. Lines of business leaders should help to spearhead cybersecurity awareness, and it should be a part of your remote work strategy.

It’s important to remember that cybersecurity awareness isn’t only about protecting against threat actors, malware and ransomware, and malicious data theft. Employees need to understand that good security also helps the organization stay compliant with government privacy legislation and meet regulatory obligations that apply to their industry. Data breaches not only have the potential to cripple business operations and negatively affect customers, but also lead to financial and legal penalties that can profoundly affect the long-term health of the organization.

Most people have adapted to remote work for the past seven months, but because organizations are more distributed than ever, there’s a potential for cybersecurity awareness efforts to lapse, even as be bad people around the world continue to take advantage of the new work-from-home reality. Those doing remote work as part of a connected organization must continue to be vigilant about security as part of their daily work habits.

Sanjeev Spolia is CEO of Supra ITS.