It’s for your own good – the art of risk communication
Fri 6 Jun 2014
Businesses will always want to implement processes or policies that make their jobs easier and it’s the IT security officer’s job to protect them from themselves but, says Oscar Arean, cloud computing has added an extra layer of complexity that businesses now have to deal with.
The vast majority of security breaches are unintentional rather than malicious. They’re usually caused by employees just looking for the quickest and easiest way to do their job. A big part of managing security risk in the cloud is communication. If the security department are the disciplinarians who exist to tell off users for keeping their passwords on Post-Its, security is never going to be strong. Users need to know why keeping passwords on Post-Its is a bad idea.
IT security is something everyone in a business should understand – albeit at different levels. All too often, issues within an organisation are siloed. You need to involve departments in the process, and educate from the top; only then can you instil a greater understanding and acceptance of the risks employee actions can pose.
Communication is key. Security policies should be implemented and enforced from the top, down. We commonly see departments detaching themselves from the issue of IT security but this “them and us” attitude needs to be eliminated, especially when using cloud services.
A SaaS application, for example, requires the involvement of its users – this could be your sales team’s CRM system, or your marketing team’s marketing automation software. It’s the IT manager’s responsibility to make sure security decisions are a cross-departmental process, and that everyone is on the same page.
There is no hard and fast answer as to the security policies you should have in place (or expect your cloud service provider to have in place) – it all depends on the type of business you run and the type of data you’re handling.
Certain policies will be compulsory for compliance reasons, especially if you’re working to standards like ISO 27001 for information security, but others can be flexible. Finding a balance that works for you is important. Do you want to ensure watertight security through stringent processes but risk a drop in staff productivity? Or do you allow your staff to work on personal devices with more freedom but forgo some control over security? This should be a collaborative decision.
Some business functions are better served by being managed internally. Others are more easily met by outsourcing to a service provider. By working with a Cloud Service Provider (CSP) that understands the security risks to your business, and has the ability to mitigate against them, you significantly lower your chances of data loss. Service providers need to maintain high security standards to meet the needs of all of their customers. Security accreditations, such as PCI-DSS and ISO 27001 for example, are a good indicator of a provider that knows what they’re doing.
Oscar Arean is Technical Operations Manager at Databarracks. He is a specialist in providing private, public and hybrid cloud services including backup, archiving, DR and email hosting.