eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
2Don’t Rely On Compliance Policy Alone
Extensive, stringent security policies often burden employees with costly, time-consuming training. As reading security policies is not a user-friendly experience, employees tend to read only what they feel they need and dismiss the rest. This apathy signals a need to streamline security policies and make it easier for employees to understand and follow them.
3Support Efficient Workflows
The goal for any enterprise security program should focus on supporting an efficient employee workflow. The employee should be able to open an email, type an address, drag-and-drop a file and decide if it is sensitive. If it needs to be protected, click a button and send. One mouse click and a little bit of intelligence, and sensitive information is guarded. The same simple approach should be considered for every point of exchange and revision throughout the sensitive information’s lifecycle.
4Focus on Protecting Information vs. Infrastructure
Infrastructure in an age of BYOD is too vulnerable. A new paradigm to protect the data before the infrastructure is necessary. Properly protected data stays secure when infrastructure gets cracked, which it often does. Protect data first. Companies with sensitive and secure data is at stake desire a detailed user interface that is easy to learn and still provides the utmost control and flexibility into the visibility of such data from those inside and outside the organization.
5Ubiquitous Security Through Access Control
A best practice is to ensure that high-value information is matched to high “security” valued people, who are trustworthy, with appropriate permissions and access. Consider all end-users agents of security. End users are also partners and providers, particularly in an age of cloud computing. This fact calls for provider shielding; the provider should have no capability to access the information located within its customer data once encryption is set for their application and use. A provider can (and should) still help clients build a private cloud without being privy to its content.
6Beware of Consumer-Grade Cloud File Sharing
One of the greatest end-user enterprise security threats is having to compete with the convenience and emergence of consumer electronics and platforms for data exchange and collaboration, such as free cloud-based file sharing. Today, employees need to collaborate. If the enterprise doesn’t provide a secure file-sharing system, they will certainly use one of the many insecure consumer-grade platforms to get the job done.
7‘He Who Guards Everything Guards Nothing’
Frederick II of Prussia said it, but the expression applies here. It prompts leadership to think efficiently about what needs to be guarded. Focus on risk areas and take action on them, rather than safeguarding everything. Where are the obvious and the more obscure risks? Simply put: Secure your vulnerable and high-value data.
8Guard Against Inside Jobs
Many security breaches and data compromises are inside jobs; there may be an Edward Snowden down the hall from you. External stakeholders pose risk, but internal stakeholders can pose more. Focus on access and privacy controls and instill security policy and compliance from the inside out. Guard with targeted precision, and your protection will be stronger.
9Security Can’t Be an Afterthought; Ease of Use Is Important
Security must be tightly integrated into the professional enterprise technologies that end-user employees are already using, not bolted on afterward. Security solutions should seamlessly and tightly integrate with popular applications that are part of employees’ workflows. If a busy employee has to close out of Microsoft Outlook or open another program window to secure his email, he will likely skip the step.
10Security Should Be Selective but Simple
Easy-to-use technology and a little bit of intelligence could not only guard newly created information but help classify existing unprotected information. A company can use three easily understood categories of information: a) I know it’s sensitive, so store it in the most secure category of our solution; b) I think it’s sensitive, so store it in a medium security area; c) I know it’s not sensitive, so leave it on a hard drive.
11Turn Employees From Liabilities to Security Assets
Easy-to-execute security training and qualification will be most effective and focused as people-friendly to ensure compliance. Remember, most of the time, employees will choose the pressures of their job over the drudgery of reading a security policy or navigating complex technology. Select the best technology to enable the company’s policy. It’s as easy to be secure as it is to just send a file. It costs one click.