Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How IT security can learn from medicine

Prof. Dr. Peter Schaff, CEO of the TÜV SÜD Management Service Division | July 20, 2016
Surprising parallels between the two disciplines

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

While medicine can look back on many years of experience in which its protagonists have learned from past mistakes, IT security is a relatively young discipline and is considered difficult by many companies, or even neglected by them. However, there are surprisingly many parallels between these two disciplines, so that IT security can use medicine as a role model.

Lack of awareness

Take the transmission of viruses, for example. From the most specialist doctor to the lowest-grade nurse, all members of the medical profession make sure to thoroughly wash and sanitise their hands before coming into contact with a new patient. However, what we take for granted today is the result of past and often painful experience. Awareness of the risk of viral transmission only developed over time. In the early 18th century, doctors would frequently perform an autopsy and immediately attend to birthing mothers without washing their hands or changing their clothes. Today, it is no surprise that this promoted the spread of infections. However, at that time, people simply lacked the knowledge and awareness of the consequences of their actions.

Modern IT security is facing a very similar problem. It must prevent viruses from spreading on business computers and causing havoc but unfortunately, lack of awareness of how to do this is as widespread now in the modern workplace as it was in historical medicine. The IT security equivalent of hand-washing in medicine is the correct and extensive use of a firewall. Every computer needs up-to-date, powerful protection against outside attacks. However, this protection also needs to be activated and correctly administered. Experts suggest that technical resources contribute only 20 percent to the success of IT security, while good organisation and employee awareness and behaviour account for the other 80 percent. Sharing of responsibility by all employees throughout the company instead of just leaving everything up to the IT department is at least as important as technical protection. After all, although antivirus software and firewalls offer effective prevention, they cannot ward off all malware and all hacker attacks. In order to take correct action, employees need appropriate training and must be offered opportunities to inform themselves independently.

In addition, where IT security is concerned, organisations should prepare for the worst-case scenario right from the start. However, the Data Protection Indicator (DPI) developed by TÜV SÜD in partnership with Ludwig-Maximilians-Universität (LMU) in Munich shows that 39 percent of the companies surveyed do not have a systematic procedure in place to deal with data-protection violations. In fact, only 20 percent are sure that their company has a documented and systematic procedure for managing data-protection violations. However, a pre-defined systematic approach plays an important role, helping to initiate the appropriate and required measures immediately.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.