1. /
  2. Confident Insights Newsletter/
  3. Does Everyone in Your Organization ‘Get’ the Security Agenda?

Does Everyone in Your Organization ‘Get’ the Security Agenda?

June 30, 2010

Summary

End users often understand the need for security only in a general sense, without grasping the vital role they play in maintaining security. This article looks at the steps IT can take to convey the message that all employees must be proactive about adhering to security procedures.
If there’s one issue that keeps IT managers up at night it’s security.
According to Symantec’s 2010 State of Enterprise Security Report, cyber security now outranks traditional crime, natural disasters, and terrorism as the top risk at large organizations.
Moreover, the report found that nearly all the organizations surveyed (94%) expect to implement changes to their cyber security efforts in 2010, with almost half (48%) predicting major changes.
That being the case, it may come as a surprise that a lack of security awareness is still a fact of life at many organizations. Research conducted by the IT Policy Compliance Group shows that the number one cause of audit failure within organizations is lack of employee awareness. 1
This article surveys the current state of enterprise security and then recommends steps IT can take to convey the message that all employees must be proactive about adhering to security procedures.

Why 2010 is different

The 2010 State of Enterprise Security Report offers ample proof that organizations today are operating in a state of constant alert. Primarily that’s because they’re experiencing more attacks than ever before. The report found that 75% of all enterprises have experienced cyber attacks in the past 12 months, with 41% saying those attacks were somewhat or highly effective.
And make no mistake, the consequences of those attacks are getting steeper. The report found that a full 100% of the enterprises surveyed had experienced cyber losses in 2009. The most common losses were:
  • Theft of customer information
  • Downtime of environment
  • Theft of intellectual property
  • Theft of customer credit card information
The most common costs were:
  • Lost productivity
  • Lost revenue
  • Loss of customer trust
In all, enterprises reported that the costs associated with cyber attacks were $2 million in 2009. For large enterprises, those costs were even greater – almost $2.8 million.
That’s bad enough, but the report goes on to find that enterprise security is also woefully understaffed. And this comes at a time when enterprises are rolling out initiatives that make providing security more difficult, such as cloud computing and server virtualization.

Why you need to get the word out to everybody

Needless to say, given this environment, there can be no such thing as “security as usual” when it comes to mitigating cyber risk. Increasing security awareness within the organization needs to be a top priority.
Employees need to be aware that even simple actions, such as surfing websites and clicking a URL or link within an email, can put their company at risk It continues to be the case that employees who inadvertently violate data security policies represent a major factor in the occurrence of data breaches.
At the same time, organizations also need to understand that some employees actively go around security procedures that they feel interfere with their ability to get their job done. According to recent Symantec focus groups, some end users understand the need for security only in a general sense, without grasping (or caring about) their role in maintaining security. For these users, IT security is often seen as hampering innovative business initiatives and having a negative impact on worker productivity. 2

Stopping data breaches

To protect information from both internal and external threats, organizations should adopt an operational security model that is risk-based, content-aware, responsive to threats in real time, and workflow-driven to automate data security processes. Symantec believes this model can help IT effectively convey the message that adhering to security procedures is the responsibility of every person in the organization. Here are four steps organizations can take to reduce the risks of a data breach using proven solutions:
  • Step 1: Protect the infrastructure. Today you need centralized visibility across your systems so that you can manage them efficiently and ultimately protect them against emerging threats. That boils down to securing all endpoints, protecting email, defending critical internal servers, in addition to backing up and recovering data securely. Symantec Protection Suite creates a protected endpoint, messaging, and Web environment that is secure against today’s complex malware, data loss, and spam threats, and is quickly recoverable in the event of failure.
  • Step 2: Develop and enforce IT policies. By prioritizing risks and defining policies across the enterprise, organizations can more effectively enforce policies through built-in automation and workflow. Workflow and automation allow you not only to identify threats but to remediate incidents as they occur or to anticipate them before they even happen. Symantec Control Compliance Suite is the only holistic, fully automated solution to manage all aspects of IT risk and compliance at lower levels of cost and complexity. Control Compliance Suite offers out-of-the-box content on multiple industry regulations, automated assessment of technical and procedural controls, Web-based dashboard reporting, and integration with other Symantec security solutions.
  • Step 3: Protect information proactively. Yesterday’s security approaches were aimed at securing the network. Today, organizations are taking an information-centric approach to proactively protect their information. By focusing on the data itself, you are able to understand where information resides, who has access to it, how it’s being used, and, even further, how to proactively prevent its loss. With Symantec Data Loss Prevention, organizations gain visibility into policy violations to proactively secure data with automatic quarantine, relocation, and support for policy-based encryption. Symantec Data Loss Prevention enables active blocking at both the network and endpoint to prevent confidential data from leaving the organization inappropriately. Symantec helps ensure the highest level of risk reduction to automatically enforce compliance with data security policies and enable organizations to change employee behavior.
  • Step 4: Manage systems. Security needs to make your life easier through standardization, workflow, and automation—simple things that you can put in place to make security software do the heavy-lifting, everything from patch management to regulatory audits. Altiris IT Management Suite from Symantec is the industry’s most comprehensive and integrated suite for reducing the cost and complexity of managing corporate IT assets, including desktops, laptops, and servers. IT Management Suite reduces operational costs, increases operational efficiency, and helps you make strategic decisions to secure and manage your IT environment.

Conclusion

Today the risk of a data breach is higher than ever before. Partly that’s because targeted attacks focused on enterprises and malicious code development are at an all-time high. For example, in 2009, Symantec identified more than 240 million distinct new malicious programs, a 100% increase over 2008.3
The good news is that targeted attacks and other data breaches can be defeated. But it requires that all employees in the organization know what their responsibilities are. The operational security model that Symantec proposes offers organizations a blueprint for inculcating such a security culture.
To learn more, download the Symantec Webcast, “Meeting the Challenges of Today's Targeted Attacks.”
1 “Best Practices for Managing Information Security,” IT Policy Compliance Group, February 2010
2 Symantec conducted 16 focus groups among strategic and functional decision makers at enterprise and midsize companies in August and September, 2009
3 Symantec Internet Security Threat Report, Volume XV, April 2010

Related

Back to Newsletter