We’ve recently seen a large amount of information in the press regarding information security and what happens when organizations misstep in implementing security procedures and systems. This problem is not going to be solved in the near term. To date, the volume of reports has not diminished public interest. We can expect to see additional incidents and they will become increasingly visible.
The problem requires attention from both technology people and their business partners.
Recent events in both the private and public sectors show that uninformed or thoughtless decisions can lead to information loss, compromise of personal data, legal consequences, and the need for immediate and expensive repair work. In many cases, the impact to the reputation of the organization is greater than the financial loss, which can be considerable.
In addition to inadvertent incidents, it has been clear for some time that malevolent parties are breaching security for monetary gain, not for notoriety. Laptops and other portable devices are stolen frequently. Spoofing and scams are used to gather passwords and personal data for impersonation and fraud. We can expect this trend to continue.
In many organizations, the solution starts with guidelines, awareness and education. Information technology professionals can help their business partners by showing them proven techniques for improving controls on their data and applications. They can also help balance the need for business value with the risk of increased sharing and access to data and applications. They can design security into systems and business processes from the beginning, rather than as a costly and fragile afterthought.
IT organizations must also work to insure that they are hardening their existing systems according to best practices. They should build controls and auditing into their applications, especially those holding confidential or private information. IT and business architectures should consider information security from the beginning.
The information security problem will require systematic investment and focus for the foreseeable future. The prudent IT organization will develop both tactics and a strategy to address the problem.