The most important safeguard though, is to have a robust, layered security infrastructure. It is a surer bet than having to rely on employees never erring in their clicks, taps, and swipes with their social media accounts.
2. Know thy security layers
Layered security, whereby different layers of security controls combine to protect data, devices, and people, is widely adopted today. It ensures that when attacks occur at different sources, whether at the network, application, device, or user level, they can be detected and stopped before they spread. It also offers an effective safeguard against different types of threats.
With the changing workplace habits brought on by millennial workers, CIOs should relook at how they are setting up each layer of protection.
Consider, for instance, the use of personal devices in the workplace. According to a McKinsey & Company study, around 80% of enterprises now allow employees to use personal devices to connect to corporate networks. And increasingly, employees expect their IT departments to support their personal devices with access to corporate applications like email and calendar. This trend, termed BYOD (Bring Your Own Device), poses a number of new security threats.
In particular, CIOs should look at bolstering security at the device layer. The first step to take is to shore up the devices themselves through mandating some combination of firewalls, anti-malware software, MDM (mobile device management) solutions, and regular patching. A BYOD culture also puts organisations at risk from having their employees' smart devices hacked because of poor passwords. Having policies and education on strong passwords are musts.
Device types can also be identified so that less secure devices, such as mobile phones, can be restricted from some parts of the network. Sessions should also be secured, such as by preventing users from visiting unsafe websites.
Similarly, defences of the user layer should also be shored up to mitigate the rising risks of internal threats. This layer is often the trickiest to manage due to the need to balance security and convenience. You can also use a variety of authentication methods to identify network users and allow varying levels of access. Instilling awareness and educating staff are important steps to take.
3. Tackle shadow IT
Shadow IT is a term used to describe the use of applications and services, often cloud based, not sanctioned by the organisation. Its uncontrolled nature poses a security threat and governance challenge.
Consider the scenario of employees using their smartphone to open a file. It is likely the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone performs its routine automatic backup. Just like that, your secure corporate data has been moved to an insecure location.
Sign up for CIO Asia eNewsletters.