Looking to the future: risk management
Now that the basic premise has been understood, that is, the company’s data is not as secure as it is believed it to be, it is time to act and continue taking action.
Apart from addressing the vulnerabilties mentioned earlier, it is important that administrators make good use of the tools that are available to address network and storage vulnerabilities. These tools can greatly reduce the time it takes an administrator to manually check for, assess and remedy any vulnerabilities, as well as provide a snapshot of the network’s security set-up. These tools should not be seen as a cost but as an investment in line with the business needs of the organization and the importance of the data the organization holds.
Recent security breaches that made the headlines revealed that these organizations had failed to enforce or implement stringent security policies with regard to how data is accessed, handled and transferred. Although security policies are important they must not be written for the sake of having a thick file that no one in the organization will ever read. Security policies are there to be enforced.
Internal communication is also important and often overlooked. Administrators need to explain in clear and simple language what each policy means and how each one is implemented throughout the organization. If security policies cover the use of portable devices, administrators should explain why certain devices are banned and not reply with a curt, ‘because I said so’. This approach is counterproductive.
Business practices change and IT is there as a function to enable business to maximize on its investment. The key is to manage these resources and manage them well!
Education is also important. Employees are not as tech savvy as the administrator is. They need to be told over and over that they should not leave their passwords written on a sticky note on their monitor. They need to understand that sharing passwords is equivalent to sharing the key to their home. And they need to understand that their actions are being monitored and that they are accountable to the company.
Something that IT administrators in SMBs need to be wary of is the false belief that once they have deployed a security product, they can put their mind at rest that the network and data is secure. Wrong. Technology alone will not protect a company’s data. Strong and enforceable security policies as well as employee and management awareness of security issues will go a long way towards improving the level of storage security in the organization.