From all of the security controls an organization could deploy, which one do you feel adds the most actual value for day-to-day information security and why?
The best security control that an organization can employ is encryption. Encryption should be used across the enterprise, especially for host devices such as desktops, mobile devices and laptops. Devices with data at rest and not encrypted are being taken out of offices by employees and others. This is happening at an alarming rate.
Any device containing company or client data should be encrypted. If these devices are lost or stolen and their drives are not encrypted, they could open up the company to loss of Intellectual Property or clients’ personal identifiable information (PII). This will open an organization up to loss of company secrets or litigation by clients. The number of laptops that are being either stolen from healthcare organizations or left in cars and then stolen is the subject of many mainstream news stories.
Encryption is also a large part of most compliance frameworks from HIPAA to SOX. It only stands to reason that regardless of whether you must comply with any regulation, encryption can save your company from headaches. Now granted, there are ways around encryption, for example, with the Target breach the malware was placed in an area where data passes in cleartext, and companies don’t have control over vendors no matter what type of security credentials/protocols in place–such as the third party vendor that opened an email, credentials were stolen, and Target was breached. There are ways around everything. But encryption will protect data at the end-points.
Allan Pratt, InfoSecurity & CyberSecurity Strategist, @Tips4Tech
To find out more about our panel members visit the biographies page
