The traditional network perimeter is a relic—a vestige of a time before the advent of easy mobility. And security strategies that focus on traditional perimeter defense are a symptom of change resistance and of a fixation on the past rather than a vision for the future.
Consider this; the latest Ericsson mobility report says that 90 percent of the world’s population over the age of six will own a smartphone by 2020. That’s a lot of devices in the hands of as many as 6.6 billion people. And as the number of employee, contractors, partners and customers requiring access to your network grows, so too do the challenges to security and risks to your enterprise—the defense of your dissolving perimeter.
Mobility accommodation and the era of bring-your-own-device (BYOD) cannot be avoided without accepting lost opportunity. Employees want to be able to do their jobs from wherever they are; your job is to make sure they can—while maintaining data and network security. How can you enable a BYOD culture while balancing network protections with productivity and usability?
Easy mobile access to data and collaboration tools seem at odds with data protection, governance and compliance, but it doesn’t have to be. Consider that overly restrictive policies may result in the use of unauthorized applications and work-around techniques intended to avoid detection. Such behavior leads to the introduction of so-called shadow technology to the enterprise. By prodding employees beyond the view and control of IT, overly restrictive policies may actually increase the risk of a data breach.
If tackling a mobile access and security program is something that is on your enterprise’s to-do list, but keeps getting pushed back because the task seems too daunting, it might help to start with a three-step preparatory strategy. In doing so, you can gain a clearer understanding of your overall risk profile.
Step One: Data Mapping
Before you can protect data and make sure that it’s accessible, you have to know where it is and how it moves throughout your network. Data may be stored on-premises, in the cloud, or on the devices of any number of employees. Knowing that in the abstract is one thing, but identifying specific locations is essential to adopting meaningful management strategy.
Step Two: Data Classification
Data classification itself is a multi-step process, but it is an essential exercise for establishing a strategy for defending the human perimeter. After data mapping, but before data classification, it’s important to assess your organization’s appetite for risk. This is a matter requiring legal input, and it affects every aspect of the data lifecycle. What data should you collect, create and manage? How long should you retain that data? Who should have access?
None of these questions can be answered without a thorough understanding of the regulatory implications involved and the business need. Once risk appetite is determined, however, classification can be used to decide what information requires your tightest security and what data can be made readily and easily available to all who need access, whether at their desk or on the road.
Step Three: Policy Inventory
Taking an inventory of relevant security and governance regulations goes hand-in-hand with risk assessment and data classification.
The policies you draft to inform proper handling of data—along with how to assign and manage privileged access—will depend heavily on which state, federal, international and industry regulations apply. In the event of a data breach these policies may play a major role in the mitigation of the costs associated with an adverse security incident. According to the Ponemon Institute’s 2016 Cost of a Data Breach Report, an adverse security incident can come with a price tag that now averages $4 million dollars per incident.
One trap to avoid while drafting data management and security policies is that of writing based on the organization’s present state. We work at a time of rapid change and, even though policies may require annual review, the future direction of the business should be taken into account in order to accommodate anticipated and inevitable change.
Finally, once policies have been written and implemented, it’s essential that all employees are made aware of their responsibility for data security, and that requires training and education. In fact, documented annual training is mandated by some data security laws, such as Massachusetts’ data security law 201 CMR 17.
With an understanding of the risks and challenges involved, your human perimeter can be successfully managed. Without it, you risk losing talent, opportunity, reputation and a lot of money. The good news is, with a sound approach, it is possible to accomplish the task.