If adopting new technology increases your fear of a security breach, take heart. A new report by Telus and the Rotman School of Management uncovers the security issues that keep IT managers up at night and offers advice on how to resolve them.
“We wanted to provide Canadian security leaders with access to real-life experiences, best practices and strategies used by their peers,” says Walid Hejazi, professor of business economics at the Rotman School of Management.
The survey revealed that IT managers had concerns over whether their organizations had been breached without their knowledge and how a breach might affect their brand. They also wondered how to retain security resources and were worried about what employees were doing with corporate data.
Most Canadian security leaders interviewed for the study believe a security breach is inevitable. And they lack confidence in their organizations’ ability to detect the breach and mitigate possible damage. The study also found that organizations that work with employees to adopt innovation or new technology in a responsible manner are more secure than organizations that limit innovation adoption with rigid IT security controls. Businesses that limit adoption of technology tend to operate with a false sense of security, notes the report, because employees often circumvent controls to use new technologies anyway, leaving the organization unaware and at risk.
“It is critical that organizations remain open to new technologies so employees are empowered with the tools to increase productivity,” says Hernan Barros, director at TELUS Security Solutions. “Equally important, however, is that organizations ensure employees understand how to use new tools responsibly and that adherence to security policy is made convenient and simple.”
The survey authors recommend five tips to help strike a balance between technology adoption and security.
- Don’t assume you haven’t been breached. Just because your organization hasn’t detected a security breach doesn’t mean you haven’t been hacked. Look for trouble even when none is evident.
- Security diligence must be ongoing. Given the pace of tech innovation affecting the security of information systems, IT managers have to keep up and respond appropriately.
- Compliance is not the same as security. Meeting minimum required standards should be viewed as exactly that, the minimum required. Security should be a consideration throughout the lifecycle of every project.
- Organizations should work to be “yes” organizations. These businesses recognize the critical nature of security when embracing any new technology and integrate strategy, education and buy-in into the process.
- Awareness training is key. Security is only as good as its weakest link, and the weakest link is often people. Awareness training must be consistent and relevant to new threats, and IT managers need to find ways to effectively reach employees.