As enterprises embrace a wider range of digital technologies, they need to take a people-centric approach to security. That means your first line of defense becomes your staff. And sometimes, the last.
In the digital workspace, the inevitable transition to cloud, mobile and social technologies means that employees are central to enterprise security strategy.
Gartner argues that enterprises need to adopt a people-centric security (PCS) approach which “emphasizes individual accountability and trust, and de-emphasizes restrictive, preventative security controls”.
Conventional security strategies take what is often referred to as a “command and control” approach to safeguarding the enterprise. PCS reduces these controls and seeks to motivate users to take more responsibility for their actions. The upside should be a more agile business structure. But this people-centric proposition does not come without challenges.
“If we’re going to give people more freedom to decide, we must make them aware that there are consequences and educate them on what these consequences are,” explained Tom Scholtz, vice president, Gartner. “We can’t ask them to make decisions that may have a negative impact if they don’t have the knowledge to make those decisions.”
So here are four key areas enterprises should take into account if they are planning to introduce PCS:
1) Ignorance is no longer an excuse
The workforce is the custodian of policy and central to the way information is shared. Enterprises that instigating targeted policy training to make users aware of how data should be handled, are reaping the rewards. According to the Ponemon Institute, the number of inside breaches has gone down, most likely as a result of training and awareness programs having a positive impact on users.
2) Responsibility starts at the top
Data security should be second nature and users must be willing to accept accountability. Cybersecurity awareness and readiness should be communicated throughout the enterprise, from the boardroom down. A recent survey led by researchers at Goldsmiths University of London found a lack of widespread accountability for security in senior management. They found that in the most vulnerable enterprises, 90 per cent of board members admitted they could not interpret a cybersecurity report and only 10 per cent said they were updated about cyberthreats that may affect the business.
3) Most users are not a threat, so trust them
People-centric security requires a balance between trust and verification. It is built on the assumption that most users want to behave in a secure manner. So trust them. But also make them aware their actions are being monitored and if mistakes occur, they can be held responsible. “The traditional approach is to treat 100 per cent of people with suspicion, even though only 2 per cent or 3 per cent misbehave. That's probably not the most effective way of going about it,” Scholtz explained at Gartner’s Symposium.
4) Testing trust on small group
PCS may not suit the set-up of all organizations. It requires a bold, new way of thinking about security and it takes time to put the right foundations in place. Firstly, security must be embedded in the management structure and all staff need to be fully aware of the strategy, which will require a learning curve. In traditional security programs, people are under constant surveillance because there is little or no trust element. With PCS, people are seen as a source of value when it comes to security prevention. This requires building a strong culture of shared security principles, which some enterprises may find a challenge.
For enterprises that want to go down the PCS route, Scholtz advocates choosing an appropriate target area for initial deployment. This way an enterprise can monitor how PCS works in a controlled environment and iron out any initial problems or queries that may arise from staff in what is a revolutionary approach to IT security.
People are central to Orange Business’ security offerings. Find out more about how you can create a secure environment in which your business can grow here.