How to cut costs and still remain secure

You’ve just heard your budgets have been cut once again! This time it’s across all IT and security has got to be slashed too. As a CISO or IT manager, or indeed a member of an organization that has sensitive information to keep safe at all times in spite of a wide mobile workforce, using an assortment of portable devices and removable media, you suddenly feel it’s like a time bomb waiting to go off.

How did we get to where we are?
Whilst reduced spending may be good for the company’s balance sheet, often data security has been the trade off. Let’s look at the evidence:

1. Companies now have tighter budgets and yet are working with far less staff.
2. More hours less pay – is now the mantra!
3. Mobile and remote working has gained in popularity.
4. Companies are faced with the unenviable dilemma: to get the job done they must embrace this mobile practice, yet this practice poses serious threats to data security which are costly to address. So ultimately the question becomes one of whether the gains are worth the risk with smaller budgets?
Only you can answer that for your organization but there are few who really feel they have a choice. In fact, a survey conducted by Credant this summer confirmed that mobile working is very much a reality and few organizations are prepared: “The “mobile habits, leisure and security” survey revealed that more people than ever before plan to holiday with a laptop in 2010 with 64%, an increase from 33% two years ago, confirmed that they will take their laptop with them for work, however a staggering 66% revealed that their device will be unencrypted and 51% of these won’t even be using a password!”

It’s a nightmare scenario for those responsible for security with employees now accessing their emails and network even when they are away, but often oblivious to the security implications of connecting using secure devices and networks. The well documented implications of failing to comply with data privacy regulations, such as Sarbanes Oxley or the Data Protection Act, are just the tip of the financial iceberg. Lost revenue from reduced customer confidence when data goes missing and hits the public eye can be catastrophic and the price of rebuilding a damaged brand are often incalculable and can be insurmountable. I would argue that the RIGHT solution is priceless – that said, it isn’t free!

Where do we go from here?
The best way to secure data is to keep it locked away on the corporate network and NEVER allow anyone access to it. Now, if your organization can operate like that then fair play to you. Back in the real world that’s just not a viable option.

The reality is that there will be a magnitude of people within your company that need access to sensitive data in their day to day activities. As we’ve established, they won’t always be within the safe confines of the building, so it is a given that your data has been, and will continue to be, transported beyond the walls you’ve built to protect it – whether made of brick or fire.

The stance you need to take is mitigating the risk this presents whilst enabling business to continue unhindered. Today, there are many encryption products available offering the promise of data protection and compliance. However, the reality is that attempting to deploy a single “point’ solution to meet all needs can pose more problems than it solves.

The truth is, in your heterogeneous environment, plugging one gap just leaves all the others wide open. To be truly secure you would then need to look at each and every way data is stored and transported, and then employ a solution for each. It’s immediately clear that the expense of this approach is potentially massive – not only in purchasing, deploying and trying to manage all these disparate systems – but the margin for error is also huge, often resulting in an ineffective solution due to poor manageability, and a lack of interoperability with existing IT tools and processes, thus rendering the investment redundant.

I would also argue that to prove compliance without the benefit of a single, integrated management and reporting framework is extremely difficult if not impossible, so you could never be certain a breach wouldn’t occur anyway. In summary, you need to be canny if you’re to negotiate your way through the security minefield on a budget. But you needn’t do so alone. Here are five basic requirements that will help you select the right solution to keep your data from harm:

1. A security solution for a mobile workforce, should be centrally managed and policy based for maximum control, ensuring encryption can be addressed on all devices and for all users, so that the data your staff carries is protected.
2. A solution should be adaptable to encompass every device currently utilized by your organization e.g. desktops, laptops, handheld devices and removable media, but also the unknown devices of tomorrow.
3. A solution should provide flexibility in the way the data is encrypted, e.g. hardware based full disk encryption or software based full disk encryption.
4. A solution should be as transparent as possible to the end user so they’re not able to disable or bypass the protection.
5. A solution should provide seamless protection without slowing the device or hindering the user.

It is unrealistic to simply stop spending money on security and expect to remain secure. However, by thinking outside the box and purchasing a solution that does the same you can keep the financial director happy and your data secure.