An organization’s network infrastructure, and the security that supports it, is a complex ecosystem that is always changing. What and whom the business needs to protect varies as well. Each new event—whether a merger or acquisition, hiring or downsizing, or a new product launch—has an impact on what the enterprise needs to protect. However, there are several steps that businesses, with guidance from their IT teams, and involvement and support from their employees, can take to strengthen their enterprise security within the next six months. These measures will help the organization respond to the tectonic forces of change now in motion, and to build a foundation that will allow it to adapt more readily to future changes that affect enterprise security.
1) Close Gaps in Situational Awareness
Most enterprises are simply not aware of the totality of their network: There are outliers—disconnected elements—that present real risk. There are many moving parts and areas of low visibility to monitor and manage, such as mobile workers, mobile devices, web-based collaborative applications, and the cloud. By taking stock of these elements, IT teams gain better visibility into the overall network security posture. They also can identify and correct weaknesses more easily, and remove or block those things that should not be connecting to the network.
2) Focus First on Solving “Old” Issues—and Doing It Well
Many of the security issues considered to be “new” problems are actually old issues that can be managed and secured using existing, effective practices. One word of caution, however: Organizations should start by working to solve a limited number of things—and doing them well—instead of trying to solve too many problems at once, only to arrive at mediocre results or unfinished projects.
Software updating and patching is a good place for many organizations to begin making improvements. Enterprises have steadily lost control over the software that’s installed on technology assets. With today’s unwieldy networks comprised of a mix of officially sanctioned technology equipment, and whatever mobile devices workers have decided suit their needs, enterprises can’t guarantee that everyone is using approved versions of corporate software.
3) Educate Your Workforce on Security—and Include Them in the Process
When educating users, explain the security issues the enterprise needs to address, and ask them how they can help the organization to solve these problems. The most effective training uses real-world examples of criminals and attacks to show employees that threats are genuine and can cause significant damage.
“Workers need to have a heightened awareness of the pain they can cause a business when they over-share information via social networks,” advises Seth Hanford, Intelligence Operations Team Lead at Cisco. “They may be unaware that they could put customers, their own jobs, and others at risk, along with the enterprise’s ability to turn a profit. Executives need to clearly state the ramifications of workers’ actions.”
4) Understand That One Security Border Is No Longer Enough
The “fortress” approach to security of the past clearly is no longer adequate. With workers collaborating and sharing vital information far beyond the walls of the workplace, every hour of every day, security that’s limited to the network edge is bound to fail.
More than that, today’s hackers are skilled at breaking through traditional security perimeters and are finding it all too easy to penetrate the “soft spots” in the enterprise where sensitive data resides and is not protected by any security border. Never before has it been more important for enterprises to adopt a layered approach to security, and to make certain that wherever critical data flows or resides, it is protected by intelligent technology solutions, rich policies, robust enforcement practices, and a workforce who has been educated about security risks and who understand their role in helping to mitigate them.
5) View Security as a Differentiator for Your Business
Leading organizations are aligning their security investments with their business objectives and finding that it allows them to adapt more quickly and confidently to changing business conditions, take advantage of new technologies and markets, and enhance the customer experience.
Network and IT systems make up some of an organization’s most critical infrastructure. Together, they are the “endoskeleton” supporting the business and protecting its data. And like a living thing, if that vital framework is neglected, it will surely fail—especially when under pressure. Businesses must take action now to test the robustness of their infrastructure and implement effective security practices so they can endure—and thrive—in the new landscape formed by these changes.
It is important for enterprises to recognize, however, that there is no “silver bullet” technology solution that can meet all their security needs. A layered approach that includes depth and breadth of defense is the only way to meet the challenges and protect the opportunities presented to the enterprise by these forces of change and the emerging borderless network.
Excerpted from the Cisco 2010 Midyear Security Report. Download your copy here.