In the private sector, the network is the channel for conducting business in today's global marketplace. Protecting the network from threats and vulnerabilities can be daunting; however, there are strategies that can help organizations to protect the critical information assets traveling through their networks.
- Take a holistic approach. A business needs to protect both the data and the network because they work hand-in-glove. The data itself can be considered the currency of the digital world, so its protection is critical; the network moves the data, so it must be secured as well.
Conduct regular risk assessments. Understand what types of data are traveling through the network. Take appropriate steps to protect confidential data, but be aware that clever insiders or thieves can access the network, take pieces of data, combine them and, as a result, put your organization's sensitive data at risk.Risk assessments need to take into consideration an organization's business model. First, analyze what types of data are most confidential if you are a retailer, bank, health-care provider or hospitality business. After classifying the sensitivity of an organization's data, security managers need to consider who needs access to data and how the data should be secured as it travels from point to point on the network. Risk assessments are critical to understanding how resources should be allocated to protect the network.
- Control and monitor the data traveling the network. According to research conducted by the Ponemon Institute and CipherOptics, many IT professionals do not know whether their organizations permit clear text traffic when transmitting from host to host; or, whether they have controls in place to inform them about third-party data transfers.
- Support accountability at the leadership level. How well does the organization's leadership understand and support the importance of protecting the network? Is there someone accountable? Without leadership's commitment to security, it is difficult, if not impossible, to achieve the recommendations listed here.
- Assemble a network security risk council. The council should be composed of representatives from the following areas of an organization: security, legal, human resources, privacy, information technology, internal auditing and operations. The purpose is to determine what would be the greatest threat to the business if the network went down. This risk cannot be decided by the IT department alone. Risks are dependent upon the environment in which the business operates.
- Ensure enforcement of network security policies. It is important to verify that policies are being followed and employees are in compliance. Employees can deliberately circumvent policies. Therefore, it is important to make sure that mechanisms are in place to detect noncompliance and punish negligent or malicious employees.
- Invest in robust and up-to-date network security technologies. Make sure the network is patched to the proper levels, and that the hardware is current and maintained by the vendor. Blend encryption with smart cards, biometrics and analytic profiling. Encrypt everything, even at the chip level. Use network partitions to select the "tunnels" the organization wants to protect. Scan the network to know where every device is. An alert system should be built into the network to shut down devices.
- Have an incident response plan in place. Bad things can happen to good networks. While technology can help to protect the network, it is important to have plans in place to deal with network disruptions.
Generally, organizations should seek opportunities for the greatest overall increase in network security with the least amount of effort or expense. Encrypting network traffic is a first line of defense for protecting sensitive or confidential information sent over third-party networks, thus reducing some of the most significant security or privacy-related vulnerabilities due to negligent employees, unstable operating systems and other potential causes of a data loss or theft.
It is interesting that our research found that encryption is viewed as too complex, expensive and not compatible with some other networking and security practices. This is not grounded in fact and is often based on an outdated notion about network encryption. There have been enormous strides in making encryption solutions for data in motion and at rest painless for end users. Many of these solutions are cost effective, thus yielding a strong ROI or total cost of ownership (TCO) result for business and government organizations.
Dr. Larry Ponemon is chairman and founder of Ponemon Institute.