Security Imperatives
Computers are increasingly being connected to the Internet via broadband and high-speed connections. Little do users realize that the moment a computer is connected to the Internet, the computer and information it contains are at risk of being compromised by viruses, spyware, and adware among others. They are getting more and more sophisticated and stealthy by the day. Quite often, there are no signs to indicate that a computer has been broken into! Once that happens, the information a computer contains is easy to steal and misuse. Passwords, credit card numbers, and bank account numbers can be easily divulged by unsuspecting users. Spyware may also gather and transmit information to criminals on the Internet. It is, therefore, imperative that security be deployed to protect computers and the information they contain.
Business Continuity
IT resources are used in organizations for business reasons, not for the sake of just using technology. Just as human, financial, capital, and material resources are managed in organizations, information resources need to be managed, too. If human resources are compromised, organizations can hire new ones; if capital resources are destroyed, they can be replaced. If information resources are compromised or destroyed, though, there is a good chance that they will be gone forever and possibly misused. This loss has the potential to destroy a business. Thus, for the sake of business continuity, good security strategies are a must!
The Weakest Link in Security
Quite often, business managers are under somewhat of a wrong impression that technology (firewalls and security software, for instance) they have deployed adequately protects business information that resides on the company's computers and servers. This impression is partially true. Technology and software alone are insufficient to protect information. The weakest link, from an information security standpoint, is not technology, but people (users in a business context). Yet, businesses do not hesitate to throw technology to secure information in hopes that it is sufficient to stop someone from accessing and/or stealing information. Past and current research indicates that a majority of information security breaches result from actions of people, most of the time insiders, and not from a lack of technology! Actions that employees take, and the ways in which they interact with computers, can have a detrimental impact on the security of information. Unfortunately, no available technology can influence human behavior or change it and, until that technology is available (an unlikely event!), security will continue to be a business issue, not merely a technical one!
Proactive Rather Than Reactive
More often than not, organizations merely react to security breaches by deploying additional security technologies in hopes of preventing future breaches. Reactive approaches merely correct consequences of security exposures and often address only the symptoms of security problems. Rather, more proactive approaches are called for. Proactive approaches begin by comprehensively examining and plugging possible security holes, thereby seeking to prevent security breaches from occurring. Information security strategy should be part of the larger set of IT strategies of the firm. Only then can information be protected adequately. Security breaches could still occur but the probability and potential losses will be significantly reduced. Further, the focus will be on avoidance of human errors, a major cause of security breaches.
Achieving a Balance
It goes without saying that nothing is ever 100% secure. What may seem to be secure today will most likely exhibit vulnerabilities only at some later point in time. Further, since there is a direct relationship between security deployment and its associated cost, the higher the security, the higher the cost. Thus, near-100 percent security is very, very expensive! Consequently, the appropriate amount of security is one that balances the benefits of security against the cost of its deployment. That appropriate amount can only be determined by performing a needs analysis, an activity that is a necessity in any security deployment effort. A security needs analysis, of course, cannot be conducted in a vacuum. It has to be conducted in the context of
- A variety of organizational factors,
- Appropriate security hardware and / or software,
- Security training and education for users to create awareness and a culture of safe computing,
- Security-related policies and procedures to guide users, and
- Security programs to assess if policies and procedures are being adhered to.
- All of these done in concert will lead to a greater chance that information will remain protected.
