Building a Stronger Security Strategy: 6 Tips

CIO offers his formula for achieving the right balance between data security and employee productivity and convenience

You might not think that security would be top of mind for a food service sales and marketing provider like Advantage (ASM) Waypoint. While we don't have account information on millions of consumer customers like Sony or Target, or sensitive banking data like JP Morgan Chase, our customer and corporate data still carries significant value for us; it’s the primary reason that setting a proactive security strategy is a top priority. In particular, it’s extremely important for us to be able to know where our data is at all times, including the increasing volumes being generated, accessed and shared outside of our traditional network.

We have 1,000 sales professionals visiting restaurants, stadiums, schools and other customer sites every day, with access to account information for hundreds of client contacts, including phone numbers, addresses and other sales data. They need to have instant and easy access to this information; if they don't, they will create their own workarounds, such as using personal email accounts and services like Dropbox, each of which come with considerable security risk. At ASM Waypoint, we opted for an on-premises storage and backup solution that allows us to maintain full control of our data and ensure optimal security. In our case, we use CrashPlan from Code42.

But there's much more to protecting corporate data in a way that empowers employees and keeps customers happy than just buying good software. Here are six tips that I've found helpful in balancing the productivity and convenience needs of employees with the security concerns of IT:

1. Think about the business process first, not the technology
Too many executives think about the technology first and try to adapt the business processes later. But I like to take an operations-based approach and consider the business goals and challenges -- and then use a technology that will help me accomplish and manage those. The technology will support the business process if we choose the right technology partner.

2. Respect your customers
My team has spent time earning the trust of our customers and building a relationship, so it’s crucial that we respect their data and properly protect information. If customers start getting unsolicited calls from our competition because, say, an employee leaves the company and takes customer data with them via personal email or Dropbox accounts, that undermines the trust we have built. We must ensure that data doesn't get into the wrong hands and adversely affect our relationship with customers.

3. Keep it simple
Our employees have many accounts to manage, from payroll to healthcare, with different logins and passwords. I encourage them to use a single sign-on application that creates complex, distinct usernames and passwords with minimal effort on their part. Employees typically have many responsibilities and worrying about technology should not be one of them; it’s the job of IT to provide tech that is efficient and easy to use. Single sign-on is so seamless to use, our employees don’t have to think about security.

 4. Understand your users 
IT and salespeople navigate in different worlds, so it’s integral for the two teams to see eye to eye. Each member of our IT team engages in a ride-along program where they shadow a salesperson twice a year. They observe how people in all major roles in the enterprise interact with technology throughout the day, what their tech needs are and the security risks they encounter.

 5. Incorporate endpoint backup
When one of our execs knocked his laptop into a deep fryer at a restaurant, I was thankful the data on his device was backed up. Because of the different data protection needs of the various levels of employees, we have a tiered endpoint protection approach. While most employees use a shared network drive to store documents, executives store documents in a drive on the corporate network.

6. Have a contingency plan
The nature of security incidents is that they can happen at any time and without you knowing about it until real damage has been done. In addition to following best practices, you always need a contingency plan. We have a plan in place that allows us to understand what, how, and when data was lost and what the impact may be. The best plan is one that’s proactive and preventative because you don’t want to be caught off guard.

A data protection plan does not just mean buying reliable security products — it’s more holistic. You must first assess the needs and behavior of end users and the business practices as a whole. A successful strategy will address these needs while also providing easy, non-disruptive processes for employees to follow. And lastly, it will prepare your organization for anything — from a lost laptop to breaches and insider threats — by backing up data and having insight into where data flows and who uses it.