Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/4/2015
10:30 AM
Harry Folloder
Harry Folloder
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Building a Stronger Security Strategy: 6 Tips

CIO offers his formula for achieving the right balance between data security and employee productivity and convenience

You might not think that security would be top of mind for a food service sales and marketing provider like Advantage (ASM) Waypoint. While we don't have account information on millions of consumer customers like Sony or Target, or sensitive banking data like JP Morgan Chase, our customer and corporate data still carries significant value for us; it’s the primary reason that setting a proactive security strategy is a top priority. In particular, it’s extremely important for us to be able to know where our data is at all times, including the increasing volumes being generated, accessed and shared outside of our traditional network.

We have 1,000 sales professionals visiting restaurants, stadiums, schools and other customer sites every day, with access to account information for hundreds of client contacts, including phone numbers, addresses and other sales data. They need to have instant and easy access to this information; if they don't, they will create their own workarounds, such as using personal email accounts and services like Dropbox, each of which come with considerable security risk. At ASM Waypoint, we opted for an on-premises storage and backup solution that allows us to maintain full control of our data and ensure optimal security. In our case, we use CrashPlan from Code42.

But there's much more to protecting corporate data in a way that empowers employees and keeps customers happy than just buying good software. Here are six tips that I've found helpful in balancing the productivity and convenience needs of employees with the security concerns of IT:

1. Think about the business process first, not the technology
Too many executives think about the technology first and try to adapt the business processes later. But I like to take an operations-based approach and consider the business goals and challenges -- and then use a technology that will help me accomplish and manage those. The technology will support the business process if we choose the right technology partner.

2. Respect your customers
My team has spent time earning the trust of our customers and building a relationship, so it’s crucial that we respect their data and properly protect information. If customers start getting unsolicited calls from our competition because, say, an employee leaves the company and takes customer data with them via personal email or Dropbox accounts, that undermines the trust we have built. We must ensure that data doesn't get into the wrong hands and adversely affect our relationship with customers.

3. Keep it simple
Our employees have many accounts to manage, from payroll to healthcare, with different logins and passwords. I encourage them to use a single sign-on application that creates complex, distinct usernames and passwords with minimal effort on their part. Employees typically have many responsibilities and worrying about technology should not be one of them; it’s the job of IT to provide tech that is efficient and easy to use. Single sign-on is so seamless to use, our employees don’t have to think about security.

 4. Understand your users 
IT and salespeople navigate in different worlds, so it’s integral for the two teams to see eye to eye. Each member of our IT team engages in a ride-along program where they shadow a salesperson twice a year. They observe how people in all major roles in the enterprise interact with technology throughout the day, what their tech needs are and the security risks they encounter.

 5. Incorporate endpoint backup
When one of our execs knocked his laptop into a deep fryer at a restaurant, I was thankful the data on his device was backed up. Because of the different data protection needs of the various levels of employees, we have a tiered endpoint protection approach. While most employees use a shared network drive to store documents, executives store documents in a drive on the corporate network.

6. Have a contingency plan
The nature of security incidents is that they can happen at any time and without you knowing about it until real damage has been done. In addition to following best practices, you always need a contingency plan. We have a plan in place that allows us to understand what, how, and when data was lost and what the impact may be. The best plan is one that’s proactive and preventative because you don’t want to be caught off guard.

A data protection plan does not just mean buying reliable security products — it’s more holistic. You must first assess the needs and behavior of end users and the business practices as a whole. A successful strategy will address these needs while also providing easy, non-disruptive processes for employees to follow. And lastly, it will prepare your organization for anything — from a lost laptop to breaches and insider threats — by backing up data and having insight into where data flows and who uses it.

Harry Folloder is the Chief Information Officer at Advantage Waypoint LLC (AWP). With 10 billion dollars in food service sales and over 70 offices across 50 states, AWP is the largest national food service sales agency, representing leading Fortune 50 manufacturers such as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27852
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2021-3137
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
CVE-2020-27850
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2020-27851
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
CVE-2020-13134
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...