People And Policy: Building Blocks Of Enterprise Security

In conversation with Biztech2.com, Rob Forsyth, Director, APAC, Sophos establishes how people can be the weakest security link in the organisation, and how this needs to be adequately tackled in the security policy. He also elaborates on security in the cloud.

How is anti-social engineering posing a threat to enterprises?

We talk about social engineering, which is defined as the usage of information from social platforms. This becomes negative i.e. anti-social when the information gets compromised through advanced persistent threats. By collecting information about a person or organisation little by little a larger breach can be planned. Anti-social engineering becomes dangerous for an enterprise when people give out company information on such platforms. These bits and pieces fall into a bigger scheme of information and that can be a problem. The information may not be compromised by just an individual but can also be breached through the social circle the person is part of and associates with. Companies need to educate the employees about the power of possessing social data.
How to tackle some of the key security hassles that companies face today?

The first thing to do is aggregation, i.e. bringing together data from all sources. There will be social data available of the company and its employees. Information like this will form a larger picture when all the smaller pieces are put together. Make sure that the employees have a sure idea of what kind of information about the company cannot be revealed at any cost. The main problem is that employees are not able to perceive how small scraps of data can be manipulated into a breach.

Another important aspect is to have your data encrypted, whether the data is within the organisation or in the cloud. Ensure that the data is encrypted at the entry end before you place it in the cloud.

What’s the key to a successful security policy?

Having stringent policies in the enterprise with regards to personal information is key. You would be surprised to see how many people would in ‘good faith’ share sensitive information with others. Many people use the same password for various accounts, and this could lead to a slip because most likely the same is being used for official purposes as well. Enterprises need to ensure there is no domino effect if there is a data breach.

Induction sessions should be held by the HR and IT team together on policies around data and information security. HR and IT need to work in tandem as security is not IT’s problem alone . These initiatives need sponsorship from above and favourably a senior business executive should lead the cause. Plan for regular reinforcements at monthly staff meetings. Develop processes and make them part of the KPIs. While software and security systems can be deployed to ensure that sensitive data doesn’t leave the corporate gateway, it’s important to remember that the weakest link is always the people.

What are your suggestions for companies from a security perspective when moving to the cloud?

Companies have to ensure that they have a backup of all their information and are not dependent on the cloud provider to keep these in case of a wipe out. Further, the backup has to be encrypted. Keeping in mind that the cloud contract might need termination for some reason at a later date, one needs to have clear exit clauses and be aware of the options available from a security standpoint. Further, have these well documented in the SLA. They also need to factor in the possibility of moving that data from one cloud provider to another safely. In case of such an event, ask questions such as:

- If I move will you destroy my data?
- Will you have an option to reuse my data?
- Who else on the same cloud could hack and look into my data?
- What are the measures against that and punishments for that?

Scrutinise the contract, don’t just click next.