As social networking sites like Facebook, Twitter, MySpace and LinkedIn become an everyday part of the business environment, the risk and cost to businesses also increases. Many organisations even view social media platforms as essential to their operation. With the increased use of these sites, it is vital to control risk and quantify the real cost. Uncontrolled use across the company will lead to costs spiralling out of control and can open one up to unnecessary information security risk.
Information is a key driver and has become the lifeblood of every modern organisation. With the ever changing environment in which business is conducted, it is more important than ever to ensure that information is protected and risk is minimised.
Preventing staff from accessing social networks is no longer an option, company executives merely have to apply sound security measures to ensure their information is protected and costs are controlled. It is critical for all companies to create the correct environment where all staff are empowered to be the guardians of information.
The entire continent has seen an explosion of bandwidth, this has brought about masses of new, naïve and uneducated Internet users. These ‘new’ users are more susceptible to the ever changing risks and strategies being employed to get users to part with sensitive information and it is essential that these risks are mitigated in a systematic manner. The objective must be to identify the challenges that organisations face and implement all possible solutions to mitigate the risk that the human factor poses in an organisation’s information security strategy.
“We have been told by several clients that they had previously decided to block social networking sites, especially after noticing the extensive use of these sites. They soon discovered that since blocking these sites, users were finding ingenious but dangerous and risky ways of accessing these sites. This opened them up to very nasty network vulnerabilities and threats,” says John Mc Loughlin, the managing director of a local IT security specialist company J2 Software.
“In addition, at one of our mid range clients we quickly discovered that there was an average of well over 10 hours per week per employee spent on these sites. This amounted to just over 20 percent of their total work time being wasted. This essentially meant that a full time employee was working less than 80 percent of the time; owing to a single website. I am sure the staff would not be happy if they were only paid 80 percent of their salary.”
The total cost associated with this type of activity is not always taken into account. These are not only the direct costs such as bandwidth wastage but also include other factors such as productivity loss and potential reputational risk which can be far more costly if it were to get out. .
He says these advances have brought about great opportunity, but along with it is the rise of even greater risk and potential for exploitation. “This risk is to be felt by both the new unsophisticated individual user and specifically users within corporate or governmental organisations. It is critical that ICT Governance, Risk and Compliance (GRC) become a part of the very essence or DNA of any organisation. This will ensure long term information security and business sustainability.”
According to a number of recent studies, the ‘Insider Threat’ has loomed to become the most feared information security risk in most organisations today. Regardless of the technologies that an organisation may deploy to mitigate the risk of information security breaches and control costs, the critical factor is always people.
“The time is right to discuss the major challenges that managers face when attempting to uphold their information security and compliance strategy, while allowing access to the modern business platforms which have permeated our existence. We are living in the age of sharing and it is the perfect time to share experiences and solutions in an aim to help overcome the complexity of these issues,” he explains.
Building information security into the DNA of any organisation is the key to achieving compliance, controlling costs and mitigating risk, but it also presents the biggest challenge, especially for large and complex organisations. Even in organisations where other aspects of security are paramount, e.g. national security in defence environments, the internal regulation of information security policies can prove to be more difficult to enforce.
Driving down the cost of compliance is not only the key to competitive advantage, but also to compliance being taken seriously and becoming part of a cost effective executive risk management strategy. If compliance, control and enforcement is too time consuming and complex it will be ignored or short cuts will be taken.
The buy-in process needs to start at board level and then progress down to the general employee level. Achieving this is not easy and the challenges differ according to the level of maturity of the organisation.
There must be a balance between business risk, business operations and business competitiveness. This also requires the organisation to use tools which are proactive as opposed to reactive. Responsibility for compliance should be uniform throughout the organisation, but the supervision and monitoring of such compliance must not be delegated too far down the chain.
“Unseen risks cause damage and unfortunately, one cannot manage what one cannot see. This is a simple phrase to keep in mind when implementing the Governance, Risk and Compliance strategy. Incidents will inevitably occur but ongoing proactive automated enforcement, staff education and end user buy-in will minimise the likelihood and impact of unforeseen risks.
“If your people know the risks, are educated in what is acceptable and you take steps to proactively monitor what is happening across the organisation you will be able to protect against risks – and control costs,” he concludes.
By Angela Meadon