The air express industry, like many other businesses, has rapidly transformed the way it serves customers over the past few years, through the aggressive and ingenious use of the latest information technology (IT). FedEx spends more than US$1 billion every year on IT. Frederick W. Smith, founder of FedEx, once said, “The information about the package is as important as the package itself.”
But these advances come with a price: the need to protect the system from damaging viruses, accidental data breaches and even deliberate attacks. Breaches can often start in a very personal way–with friends over a cup of coffee, at a café where employees go with a work PC and surf the net or do personal e-mail. Most of us are familiar with the technology fixes that form one side of the picture, including firewalls, passwords and digital certificates. However, the policy that supports these is equally important.
It is becoming vital for any successful global business not only to have an excellent security policy in place, but also to ensure that the policy is prioritized and communicated in an efficient and meaningful way.
A Vital Protection Tool
In the last six months in the U.S. , nearly 40 per cent of firms surveyed by the Computing Technology Industry Association reported a major IT security breach. How many of these could have been prevented by considering the human element in the workplace? Many stemmed from the accidental loss of a laptop, Blackberry, or mobile device; employees using unsecured networks from home to conduct company business; or employees downloading unapproved software onto the company network. An effective security policy is, in short, a vital protection tool for any kind of enterprise.
The paradox is this: security policies often do not make it onto the management’s radar screen until the organization has a major security incident. But the most effective policy is not one that is developed during a crisis, but rather, one that is developed, updated and communicated continuously after a systematic review of security needs.
The question then becomes, how are the best security policies developed? Large companies and those with the most at stake have put significant resources into this area. FedEx delivers more than 3.3 million packages each working day and the information that goes with them, and understands the significance of solid IT security–not only in the server room, but also in the boardroom.
Pathway to a Policy
In a global corporation, a security policy is most effective when it is aligned with the company’s business strategies at both the headquarters and regional level. Otherwise, issues such as varying risk tolerance levels among business units and cultural differences between the legal and business sides of the operation may arise. Security policies also need to be cost effective and be constantly communicated. Everyone in the company needs to be responsible for IT security–not just the IT department.
Step 1 — Legal Compliance
Look at areas where you are legally obliged to have security policies in place. Complying with the relevant laws will mean you have the right controls in place before you are audited or face any new cyber threats.
Step 2 — Prioritize Information
Look at the information used in critical decision-making by your organization and customers. Prioritize the information that is the most business-critical or sensitive. Obvious areas include updated financial information, customer data or company information that should be kept secure, like credit card information used for billing. Sensitive data or systems used by customers or vendors are also key.
Step 3 — Identify Weak Links
Identify your company’s weakest links. Policies that seem simple may often have significant consequences. One example might be how often we insist that passwords be changed. Bringing in the “White Hat Hackers” to your company can be useful to see what they can find out and assess where you are most vulnerable. They find weaknesses in all areas of the company, like naming conventions used for sensitive data or weak passwords that can be determined easily, to name a few examples.
Step 4 — Nominate Enforcers
Choose the people who will own and enforce the policy. Crucially, they should include people from outside the IT department: legal, HR, audit and, of course, various user groups. You need senior management buy-in to make it happen, and senior management needs to be educated on the importance of information security and the risks of not having a strong policy enforced.
At FedEx, our Enterprise Security Council serves this function. It is led by our US headquarters, with participation by regional representatives from around the world. This group continues to evaluate and expand our security policies to ensure that information is safely guarded at all times. These people also act as the liaison with other stakeholders in the organization to pre-test the policy.
Step 5 — Develop a Clear Process
Finally, decide on a clear development process. One of the biggest mistakes companies make is that they try to do everything at once, without a grace period for transition, and without defining the resources they’re willing to put in. Unreasonable deadlines and expectations only cause resistance. Policy review and update are a vital part of this development process–not a day goes by without new threats emerging, while old ones have yet to be dealt with. It is important to have policies circulated and understood at every level and in every division of the company, so that good security habits become routine and their importance is not questioned. People who own and understand good security policies are also the best weapon in promoting good corporate security.
Linda Brigance is the chief information officer of the Asia-Pacific Division at FedEx.