There is a mismatch between companies’ expenditure on information technology security systems and the protection of valuable corporate processes. Companies mistakenly believe that buying systems provides robust protection, despite the most important element – data – not being the focus of security strategies.
Identifying critical and valuable information is the first step to protecting it, says digital security company Gemalto Africa identity and data protection manager Neil Cosser.
“Data is at the heart of every business system. Therefore, companies must develop security strategies that are suited to their contexts, including their corporate philosophy and appetite for or aversion to risk.”
Encryption will play a significant role in protecting data, if the encryption is of a high standard.
“Legally, a company that has had encrypted data stolen needs to register only a security breach, not a loss of data. Companies will need to identify and protect, or at least delete, sensitive data,” he explains.
There is no single organisation that can address all data security requirements, and any security technology or system will form part of a company’s security strategy, says Cosser.
Companies must, therefore, design security strategies for their operations, as these will help to identify vulnerabilities and sensitive data; businesses can then consider suitable solutions from various companies to fill identified security gaps.
Such strategies will also enable companies to identify and determine data classification priorities, which further helps to determine what data must be encrypted, he adds.
“Data classification is a significant challenge and, pragmatically, companies should identify critical data to be encrypted. Additional data that need to be secured can then be identified and secured along with the critical data.”
Security strategies must be developed continuously, and an evolution of security planned to address perceived changes to the business processes. An overarching security strategy plan enables additional elements to be included as needed, even if they had not been planned for.
Beyond data identification and protection, role-based identify management will play a significant role in enabling only the correct departments and employees to access data or even only the subsets of data relevant to their functions.
“Leaks often result from people who have access to, but are not technically allowed to access, sensitive data. Further, senior company employees often consider themselves to be exempt from the rules, which makes them especially vulnerable, as they often ignore protocol.
“Access management is in high demand across all sectors, but especially in the financial services sector, and a well-established, role-based access control system is a key element of data security and control,” concludes Cosser.