Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Harry Folloder
Harry Folloder
Connect Directly
E-Mail vvv

Building a Stronger Security Strategy: 6 Tips

CIO offers his formula for achieving the right balance between data security and employee productivity and convenience

You might not think that security would be top of mind for a food service sales and marketing provider like Advantage (ASM) Waypoint. While we don't have account information on millions of consumer customers like Sony or Target, or sensitive banking data like JP Morgan Chase, our customer and corporate data still carries significant value for us; it’s the primary reason that setting a proactive security strategy is a top priority. In particular, it’s extremely important for us to be able to know where our data is at all times, including the increasing volumes being generated, accessed and shared outside of our traditional network.

We have 1,000 sales professionals visiting restaurants, stadiums, schools and other customer sites every day, with access to account information for hundreds of client contacts, including phone numbers, addresses and other sales data. They need to have instant and easy access to this information; if they don't, they will create their own workarounds, such as using personal email accounts and services like Dropbox, each of which come with considerable security risk. At ASM Waypoint, we opted for an on-premises storage and backup solution that allows us to maintain full control of our data and ensure optimal security. In our case, we use CrashPlan from Code42.

But there's much more to protecting corporate data in a way that empowers employees and keeps customers happy than just buying good software. Here are six tips that I've found helpful in balancing the productivity and convenience needs of employees with the security concerns of IT:

1. Think about the business process first, not the technology
Too many executives think about the technology first and try to adapt the business processes later. But I like to take an operations-based approach and consider the business goals and challenges -- and then use a technology that will help me accomplish and manage those. The technology will support the business process if we choose the right technology partner.

2. Respect your customers
My team has spent time earning the trust of our customers and building a relationship, so it’s crucial that we respect their data and properly protect information. If customers start getting unsolicited calls from our competition because, say, an employee leaves the company and takes customer data with them via personal email or Dropbox accounts, that undermines the trust we have built. We must ensure that data doesn't get into the wrong hands and adversely affect our relationship with customers.

3. Keep it simple
Our employees have many accounts to manage, from payroll to healthcare, with different logins and passwords. I encourage them to use a single sign-on application that creates complex, distinct usernames and passwords with minimal effort on their part. Employees typically have many responsibilities and worrying about technology should not be one of them; it’s the job of IT to provide tech that is efficient and easy to use. Single sign-on is so seamless to use, our employees don’t have to think about security.

 4. Understand your users 
IT and salespeople navigate in different worlds, so it’s integral for the two teams to see eye to eye. Each member of our IT team engages in a ride-along program where they shadow a salesperson twice a year. They observe how people in all major roles in the enterprise interact with technology throughout the day, what their tech needs are and the security risks they encounter.

 5. Incorporate endpoint backup
When one of our execs knocked his laptop into a deep fryer at a restaurant, I was thankful the data on his device was backed up. Because of the different data protection needs of the various levels of employees, we have a tiered endpoint protection approach. While most employees use a shared network drive to store documents, executives store documents in a drive on the corporate network.

6. Have a contingency plan
The nature of security incidents is that they can happen at any time and without you knowing about it until real damage has been done. In addition to following best practices, you always need a contingency plan. We have a plan in place that allows us to understand what, how, and when data was lost and what the impact may be. The best plan is one that’s proactive and preventative because you don’t want to be caught off guard.

A data protection plan does not just mean buying reliable security products — it’s more holistic. You must first assess the needs and behavior of end users and the business practices as a whole. A successful strategy will address these needs while also providing easy, non-disruptive processes for employees to follow. And lastly, it will prepare your organization for anything — from a lost laptop to breaches and insider threats — by backing up data and having insight into where data flows and who uses it.

Harry Folloder is the Chief Information Officer at Advantage Waypoint LLC (AWP). With 10 billion dollars in food service sales and over 70 offices across 50 states, AWP is the largest national food service sales agency, representing leading Fortune 50 manufacturers such as ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Incorrect Access Control via the Login Panel, http://<site>/lms/admin.php.
PUBLISHED: 2020-09-22
Sourcecodester Simple Library Management System 1.0 is affected by Insecure Permissions via Books > New Book , http://<site>/lms/index.php?page=books.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway 4.17.1 through 4.17.6 does not check the file type when bulk importing new contacts ("Import Contacts" functionality) from a file. It is possible to upload an executable or .bat file that can be executed with the help of a functionality (E.g. the "Application Star...
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 allows SSRF via SMS WCF or RSS To SMS.
PUBLISHED: 2020-09-22
Ozeki NG SMS Gateway through 4.17.6 has multiple authenticated stored and/or reflected XSS vulnerabilities via the (1) Receiver or Recipient field in the Mailbox feature, (2) OZFORM_GROUPNAME field in the Group configuration of addresses, (3) listname field in the Defining address lists configuratio...