30
Mon, Dec
0 New Articles

Is Security a Burden or a Business Asset?

Security - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
Implementing a security plan can be a hassle, but nothing like the hassle you could have if you don't.


For many organizations, the need to add to or introduce security in order to meet regulatory compliance is seen as a serious burden being imposed upon them with no defined advantages. This article examines security from all angles and exposes how it can be perceived as an asset and/or a burden to an organization.

 

First, let's outline the views on how security can be construed as either a burden or an asset, and then we'll put the integration issues into perspective.

Burden     

To understand why people often see the need for security as a burden, we need to look at the issues that come up when trying to introduce security policies and safeguards into a business.

 

Responsibility

 

Who is responsible? Management, the MIS department, the board, or is there already a security group? Politically, does the owner of the responsibility have the backing of all groups? This rocky ground is often the reason that many people see security as a burden and that projects either fail to get off the ground or fail to deliver what was expected.

 

The people who are responsible for implementing the security policies and solutions often feel that everyone is against them because they are trying to force people to do things for the benefit of the "security group" rather than for the benefit of the business in general. Those who don't have the responsibility often feel that the things they're required to do in the name of security get in the way of their "real job" and that these things are imposed on them just because the security group wants it that way. They feel it is simply making their job harder and see no benefits from it.

 

The solution is to get everyone in the business unit to understand that security is the responsibility of all staff members and that the benefits are for all. Only with ongoing training and education can this be fully achieved. This buy-in is needed at all levels in the business, from the board member down to the janitorial staff; they all need to understand the need and be willing and able to play their part in the overall plan.

 

Budget

 

Implementing an overall security strategy and solution is an expensive exercise, but the question is often where the funding for it is to come from. Sometimes, the board mandates that certain security requirements are to be met, but they fail to allocate funds or even determine where the cost center for such expenditure is to be. The result is often that departments that are expected to fund the security efforts are left feeling they have lost budget for their own planned changes. This is often the reason for the resentment and the view that security is a burden.

 

Some companies simply say, "We haven't budgeted for security this year." So it doesn't get done. The point of concern here is that if there is no budget for security, is there budget for the greater costs of a data breach? This view is unfortunately often the retort of smaller companies that are even less able to weather the costs and resultant impacts of a breach.

 

So what is the solution? The need is to find some department or group that can allocate the budget to implement security. The budget needs to take into consideration the costs of hardware, software, training, and staffing. It needs to be understood that security is not a "fit and forget" item; an ongoing budget must be allocated to cover this. It also is important that the budget is allocated for just this need and cannot be siphoned off for general IT or staffing costs.

 

Value

 

Many organizations see security as having no value-add to the business. They feel that it gets in the way of the day-to-day operation of the business and that it may in fact have a totally negative impact. The problem becomes worse when staff are told that some project has been cut back or canceled in order to be able to fund a security implementation, especially if this was a pet project or something that the group or person had been working on for some time. All these points can lead people to believe that security is a burden and that it brings no value (or even brings a negative value) to the business or operation.

 

Only education and information is able to overcome these concerns.

 

Resistance to Change

 

"Why do we need to change what has been OK for years?"

 

"I don't need to be controlled in what I can access!"

 

"I need to have access to everything just in case I need it."

 

"My job cannot have restrictions put in the way."

 

"We won't be able to operate with extra restrictions."

 

These are the types of things we hear from staff as to why security is a burden on the business when in fact they mean on them personally. Sometimes change can push outside their comfort zone.

 

This is yet another reason to involve everyone in the discussions and education sessions prior to planning changes. Staff must realize that security can reap dividends when the implementation starts. People who understand the reasons that things are being planned and are able to voice their concerns and worries are far less likely to be resistant to change. And their input can often be valuable in getting the best overall solution for the business and staff.

 

Cannot Categorize Information

 

A great many businesses have seen a rapid increase in the amount and types of data they are dealing with, and often it seems easier and more cost-effective to simply increase the amount of storage available than to actually understand and manage the data they hold. The root of the problem is that staff finds it too difficult to separate what is sensitive and what is not. What this means is that determining who should have access to what and when becomes a serious burden, and security is blamed. The fact is that this should have been done as the business expanded.

 

This is a serious problem for many companies, and there appears to be no simple and straightforward answer to the problem. Often, the need highlights the fact that there has been uncontrolled growth in storage and the data contained on it, accompanied by insufficient IT staff to monitor what is occurring, which compounds the burden of implementing a business-wide solution. Even major companies have this issue. When IBM reported the loss of information on a tape in 2007, it was found to contain the details of staff who had left many years before and should have been deleted! Many companies consider it too difficult to separate what is sensitive and what is not.

Business Asset

A good security plan should never be considered a burden! The business assets are profound.

 

Security

Many facets of a well-rounded security plan will not show their value to the business simply because the attempts to breach the security will not be seen or recognized. In many companies, the details of spam email have stopped being examined. The number of emails with viruses contained and disinfected or the number of defenses against hack attacks are simply not reported to senior management because they are a day-to-day occurrence. The value of a strong security implementation, however, is that the business continues to run without users being disturbed by inboxes full of spam, having their computers run inefficiently because of programs infecting these machines, or--worse still--having keystroke monitors recording their actions.

 

One only has to look back at the reports of large amounts of data being lost or stolen on a site such as privacyrights.org to be able to contemplate the damage such announcements do to the business involved. Just imagine if TJX had had systems and procedures in place to stop the hacking. That business lost both reputation and value. Had the hack been prevented, would the company even have understood the value they were getting for their investment in a well-rounded security plan?

 

The misplacement of a single tape by Le Salle bank left two million customers concerned about their personal information and cost the group hundreds of millions in fraud insurance and other costs even though the tape was subsequently found. Imagine if this company had been encrypting the tape: Would senior management even been made aware a tape was lost and so realized the value of their security investment?

 

The problem with having a good, robust security infrastructure in place is that the value is rarely noticeable. But by not having one, the costs are very public and the damage obvious.

 

Storage

 

Because a business needs to understand the types of its data, the levels of sensitivity of that data, and the locations where data is held, the process of implementing security often also brings other benefits to an organization. Once the data is understood, it becomes easy to remove the many duplications and unnecessary versions and to move the data to the correct type of storage required. Often, this activity will actually free up much storage and give the users better access to the information they need. The result can be that planned expansion of storage is delayed or even canceled when it is found to be unnecessary because of the better utilization of the existing storage.

 

Policies

 

Because a security audit will indicate areas of operational need, new policies will be compiled, and in many cases, this process will help to smooth the day-to-day operation of a business by making it clear just what staff can and can't do. Policies on their own are not sufficient, so various other things--such as removing USB access and controlling the configuration of desktop PCs--will be implemented, all helping to ensure that systems run smoothly and staff cannot add unauthorized software to their desktop units. This action ensures that all the software installed and running in the business is controlled and correctly licensed.

Integrated Security Systems

The process of integration might start with trying to understand the concept of a total business-wide approach and then filling in the details. It is important not to focus on just one issue; as with all things, security is only as good as the weakest link. To use the military approach of "need to know," you start with the premise that no one has access to anything anywhere. From there, you allow access only to people who need that information to do their jobs and only at times they need it. Once a system like this is implemented, it is easier to track who has access rather than who is denied it. As new areas of information are added, the default is again to allow no access. This security method avoids inadvertently allowing people access because denial of access was accidentally omitted. It is also much simpler to audit actions in the setting.

 

Physical security should never be overlooked and needs to be part of the overall plan. Simply saying only authorized staff should have access to the server room, for example, does not stop staff from being able to access workstations in another area where they don't need authorization. By departmentalizing things and granting access only where it is required, security becomes easier to implement and control.

 

People

 

Often, people are the weakest link in any security system. Sometimes, breaches can be intentional, but in most cases, they're the result of laziness or lack of understanding. A good security solution ensures that employees are fully trained on what they can and cannot do but also ensures that the system is designed in a way that they cannot breach security either by intention or by error. The recent loss of 24 million records by the United Kingdom's HMRC (Her Majesty's Revenue and Customs) department was blamed on a very junior member of staff breaching policy by copying data to a disc and sending it in the mail. This should simply not have been possible; no one should be able to export data in any clear-text form, and desktop PCs should have any removable media features disabled if they can also be used to access sensitive data.

 

Electronic

 

The problem with many software or hardware solutions is that they seem to imply that they are a "solution in a box" and are all that is needed to meet a company's security needs. This is clearly far from the truth, so a very open attitude is needed when approaching security. All levels and systems need to be looked at and all areas of risk viewed. Is it possible to print sensitive data on a printer outside the secure area? Could sensitive data be transmitted outside the business unencrypted? Could someone either unintentionally or purposefully change information on a database without specific authorization? The list goes on and on and needs continuous assessment, test, and correction. Outside specialists can offer penetration testing in electronic systems, but what about the physical side? Could visitors access information by deception? People are renowned for being basically trusting by nature, and the standard phone call purporting to be from the help desk ("Can you just type this and tell me what you get back?") is always a concern.

 

Only by educating the whole team and getting them to view security as part of their job can you ensure a robust system that does not have the standard weak links.

Asset, Not Burden

A security policy and all the hardware and software that go with it help to ensure that your organization will still be doing business in the future. And that's the whole idea, isn't it?

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: