More Canadian organizations need to educate their employees on the importance and relevance of business information by implementing security policies, said a panel of speakers during last week’s InfoSecurity conference held in Toronto.
Panellists from the event agreed that organizations have to get a better handle on establishing what information is important to the business and its employees in order to understand how to best access and manage that data. Kellman Meghu, security engineering manager for Canada at Check Point Software Technologies, Inc., a Tel Aviv, Israel-based information and security vendor, said one of the biggest challenges he sees Canadian organizations facing today is looking at the basics when it comes to security.
“Businesses need to establish what’s important first,” Meghu said. “The reality is that many companies still aren’t looking at where their data fits in to all of this.”
Michael Rowen, national director of security for Allstream, a communications solutions provider headquartered in Toronto, said companies need to ask themselves not only how important their information is, but said they must also ask what sort of impact leaked information could have on the business itself.
Questions such as these ones should be addressed by all employees and not just IT staff, said David Senf, director of security research at research firm, IDC.
“The top challenge Canadian organizations tell us they’re seeing is with the leadership in their organization,” Senf said. “You have to get everyone from the business executive to the IT executive to understand the importance and seriousness of threats and the impacts they can have.”
Senf also said businesses need to establish policies around security and around who has access to what information in the business. Most organizations today he said still aren’t defining these roles from a planning perspective. Questions still need to be asked around why a certain employee has access to a certain type of data, such as credit card numbers and customer addresses, because not everyone needs to have access to this, he adds.
“Most firms are focusing on the detection and understanding that there’s a problem, but then it’s like, now what? That’s an issue firms need to address,” Senf adds.
Along with policies, the panellists said organizations need to beef up on their education awareness programs regarding data and how it’s handled both inside and out of the corporate environment.
“A lot of employees aren’t aware of how to handle and interpret data,” Rowen said. “Is it public domain information, or is it top secret with the company? These need to be figured out because technology will only go so far.”
He also said different departments need to be educated in a way that reflects and makes sense to each individual’s business role. Employees in human resources and IT for example, should not be educated the same way he said, because their roles are different, and the kind of information they have access to is as well. To ensure proper awareness, Rowen said education must be geared accordingly to each business and employee role.
In addition to data residing within a business, Meghu said it’s also about the information that’s mobile and leaves the business infrastructure.
“When a lot of organizations look at data leakage, they focus on the laptop and they forget about mobile devices such as smartphones,” Meghu said. “Businesses need to make these devices a part of their security policy, otherwise employees will get and manage their own, and that’s a very dangerous thing,” he adds.
Meghu said if data’s labelled as classified to begin with, checks can then be put in place to better manage and monitor it. Phones are like laptops he said because they carry important business information and must therefore be encrypted and secured the same way as notebooks and other devices are.
“We have a component of our Pointsec Mobile solution at Check Point, which is part of our Port Protection solution,” Meghu said. “It’s a software solution for USB keys, fire wires, mini SD cards and more and it allows a policy to block everything to enforce encryption and subgroups of encryptions that are based on roles.”
Where the channel becomes important, Meghu said, is in helping to make sure companies have the best policies and training in place and also around making sure everyone from end users, all the way up to senior-level management are educated around security and those policies as well.