Common sense trumps legislation every time- but is there a better way to manage business security?

One of the largest problems for the business world at the moment is how do you protect your data from being stolen, misused or misplaced.    The cost and risk factors have to be incorporated into a solution to ensure it is protected at all times.   How do we do that?

At the moment there are numerous points of view on how it should be done but if you look at a solution to this problem there are really only two alternatives.   Governments can legislate an organisation to protect it or the organisation can put its own solutions in place.   Which will be the most effective. let’s look at it!

Business

One of the largest problems with a corporation having control over the security of their business is Corporate greed.   Any corporation, large or small business, are all beholden to one fact, increase profits with increased revenue a close second.   They are the driving force for all business.  Legislation forces the corporation to assess the risks and mitigate against them.   Legislation is designed as a carrot and stick type solution, protect your clients data or we will do everything in our power to make you pay.

With Profits and revenue being the business drivers it makes it hard for managers, CEO’s, CIO’s, boards and management to assign the appropriate level of protection to their data without compromising those ideals.  In most situations a well protected and secure system, with managed data access and well trained staff makes a better platform to do business from, than not having them in place.   A compromised system or data breach should never happen but management often base their decisions on emotion and  stupidity, not fact.

We often hear:

” we are a small company, no one would want the information we have”  = wrong on so many levels

” all our users have the same user name and password, why do we have to change that” = wrong and also very stupid

” our website and CRM is well protected by a firewall” = wrong this is only one level of the protection required.

The moment something detrimental happens the people in the firing line are not management for not budgeting for a secure IT environment but the IT department who have been doing so much with so little that they can now do the impossible with practically nothing.

The corporate ethos of profits has to be tempered with honesty and integrity.   But, can self regulation work – we have seen it fail in so many ways in the last 10 years that the answer is probably a resounding NO.    We have already seen what happens when there is little or no control over rampant capitalism with what happened in the GFC.   With that and many other examples we have to look at alternatives.

A more secure business can leverage that security in so many ways.   If done correctly, and there are organisations out there that are doing it properly that it could improve the bottom line.   The Internet and the World Wide Web makes that possible at so many levels.

Government

To many in business, the constant meddling of government into their business is a barrier to doing business.   Most governments understand that business is in business to make money, wether that is profits or revenue, they understand that the bottom line is critical.   What they do not understand is that business is based on change and the reaction to change.    They have to change, at times within a very small timeline, to survive.   Government think that without some level of checks and balances, business will cut corners, bend rules and ignore protocol to improve that bottom line and make more profits.    To create the government regulations that will temper the level of  “corporate greed” most of the time there are so many layers that the intervention of the laws is slow, unwieldy, costly and unfocused.    Furthermore by the time the law is passed, the reason for the law has either morphed into something completely different or it has diminished to the level where the law in ineffectual.

There are so many focus groups and interested parties, that coming to some level of agreement, waters down the required legislation in the first place.   Look at SOPA and the reaction across the whole of the US and come to that the world.    These changes inevitably create rules that no longer do what they were suppose to do, target the protection at the wrong level, take too long to decide on and more often than not fail at the implementation level.

Some of the proposed solutions put forward by Government and government departments reminds me of “yes minister”, the problem is that real life is a lot more unforgiving.    Business have had to adapt to the speed that the world has changed but it seems that government and government department still have their processes set in the 1970’s.   They are unwilling to change and worst still unwilling to make a fast decision because they may alienate some splinter group or minority section of the public, damage their career or both.

Compliance is what we have now, will it change or will it get even worse I do not know.   At present compliance at some levels is good, it does keep rampant capitalism in check but for how long.

There is a solution to the problem but I am buggered if I know what it is.   I do know that the constant bickering between business and government is going to be around for awhile.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.