Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/4/2015
10:30 AM
Harry Folloder
Harry Folloder
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Building a Stronger Security Strategy: 6 Tips

CIO offers his formula for achieving the right balance between data security and employee productivity and convenience

You might not think that security would be top of mind for a food service sales and marketing provider like Advantage (ASM) Waypoint. While we don't have account information on millions of consumer customers like Sony or Target, or sensitive banking data like JP Morgan Chase, our customer and corporate data still carries significant value for us; it’s the primary reason that setting a proactive security strategy is a top priority. In particular, it’s extremely important for us to be able to know where our data is at all times, including the increasing volumes being generated, accessed and shared outside of our traditional network.

We have 1,000 sales professionals visiting restaurants, stadiums, schools and other customer sites every day, with access to account information for hundreds of client contacts, including phone numbers, addresses and other sales data. They need to have instant and easy access to this information; if they don't, they will create their own workarounds, such as using personal email accounts and services like Dropbox, each of which come with considerable security risk. At ASM Waypoint, we opted for an on-premises storage and backup solution that allows us to maintain full control of our data and ensure optimal security. In our case, we use CrashPlan from Code42.

But there's much more to protecting corporate data in a way that empowers employees and keeps customers happy than just buying good software. Here are six tips that I've found helpful in balancing the productivity and convenience needs of employees with the security concerns of IT:

1. Think about the business process first, not the technology
Too many executives think about the technology first and try to adapt the business processes later. But I like to take an operations-based approach and consider the business goals and challenges -- and then use a technology that will help me accomplish and manage those. The technology will support the business process if we choose the right technology partner.

2. Respect your customers
My team has spent time earning the trust of our customers and building a relationship, so it’s crucial that we respect their data and properly protect information. If customers start getting unsolicited calls from our competition because, say, an employee leaves the company and takes customer data with them via personal email or Dropbox accounts, that undermines the trust we have built. We must ensure that data doesn't get into the wrong hands and adversely affect our relationship with customers.

3. Keep it simple
Our employees have many accounts to manage, from payroll to healthcare, with different logins and passwords. I encourage them to use a single sign-on application that creates complex, distinct usernames and passwords with minimal effort on their part. Employees typically have many responsibilities and worrying about technology should not be one of them; it’s the job of IT to provide tech that is efficient and easy to use. Single sign-on is so seamless to use, our employees don’t have to think about security.

 4. Understand your users 
IT and salespeople navigate in different worlds, so it’s integral for the two teams to see eye to eye. Each member of our IT team engages in a ride-along program where they shadow a salesperson twice a year. They observe how people in all major roles in the enterprise interact with technology throughout the day, what their tech needs are and the security risks they encounter.

 5. Incorporate endpoint backup
When one of our execs knocked his laptop into a deep fryer at a restaurant, I was thankful the data on his device was backed up. Because of the different data protection needs of the various levels of employees, we have a tiered endpoint protection approach. While most employees use a shared network drive to store documents, executives store documents in a drive on the corporate network.

6. Have a contingency plan
The nature of security incidents is that they can happen at any time and without you knowing about it until real damage has been done. In addition to following best practices, you always need a contingency plan. We have a plan in place that allows us to understand what, how, and when data was lost and what the impact may be. The best plan is one that’s proactive and preventative because you don’t want to be caught off guard.

A data protection plan does not just mean buying reliable security products — it’s more holistic. You must first assess the needs and behavior of end users and the business practices as a whole. A successful strategy will address these needs while also providing easy, non-disruptive processes for employees to follow. And lastly, it will prepare your organization for anything — from a lost laptop to breaches and insider threats — by backing up data and having insight into where data flows and who uses it.

Harry Folloder is the Chief Information Officer at Advantage Waypoint LLC (AWP). With 10 billion dollars in food service sales and over 70 offices across 50 states, AWP is the largest national food service sales agency, representing leading Fortune 50 manufacturers such as ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...
CVE-2020-8607
PUBLISHED: 2020-08-05
An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentia...