Traditionally, enterprise data security has trusted a “fortress defense” approach: keep all assets within a company castle and build towering walls to maintain out the enemy. However, with an evolving threat landscape that comes with targeted attacks, social engineering and spear phishing, the model leaves numerous vulnerable attack points.

With increasing employee mobility, IT professionals are challenged to expand their security practices to “armor” employees individually as well as the fortress. Consequently, IT budgets are stretched thinner, leading to the necessity to examine the return of investment of popular security practices. Within the battle against data breaches, which practices – “fortress defense” or “armored defense” – provide the best ROI?
1. Identity and access management (IAM). The drawbridge of the fortress defense is IAM: only people with preapproval can access the company castle and management decides where they are able to go once in. IAM provides a powerful defense against data breaches, but requires a major period of time and energy to be deployed right. Furthermore, not all IAM solutions are created equally. A 2012 Forrester report found “that build-your personal, COTS, and cloud IAM solutions provide triple-digit ROI percentages over manual IAM processes.”
Employees ought to be thoroughly trained on policies and procedures for IAM to work. Feeling pressure to provide more outputs in less time, employees often find workarounds for accessing data. If implemented and maintained correctly, IAM can lessen on data breaches but when not, a weak ROI will also be expected, leaving sensitive data in peril within the process.

ROI: 50/50 dependent on whether it is implemented and maintained correctly.

2. Accessing data inside the cloud. Cloud-computing providers tend to be viewed as a price-effective way for corporations to expand server capacities or increase capabilities without investing in a brand new infrastructure, personnel training or software. However, there are hidden costs to putting company data within the cloud.

First, businesses that use cloud-computing providers are captured by their rates, plans and capabilities, and fulfilling individual service needs adds up quickly. The price of supporting numerous remote devices, upgrading network bandwidths and working with unavoidable outages is high. The controversy on export-control regulations in the case of the cloud is increasing and updating services to conform takes manpower and money to complete.

ROI: Low for giant companies that require customization or regulation.

“Armored Defense” Best Practices

3. Anti-theft solutions on mobile devices. Anti-theft solutions on company-issued devices are relatively inexpensive and straightforward to employ inside the employee base. Remote wiping of a lost or stolen device can prevent data theft while geo-locating tools aid in recovery efforts.

These tactics can also be used for BYOD, a trend that may be here to stick. In step with Gartner, by 2018, 70% of mobile professionals will conduct all their work on personal smart devices. Although some debate surrounds these solutions for private devices, the probabilities of recovery are slim as evidenced in Symantec’s Smartphone Honey Stick Project. This experiment involved leaving 50 smartphones in public places throughout five major cities to decide recovery rates and knowledge on data accessed by the finders. The consequences were alarming: only half the folks who found one of the crucial smartphones made any try to return it and 96% of the phones had data accessed by their finders.

ROI: Strong and simple to implement.

4. Upholding visual privacy. It’s likely that confidential data will appear on an employee’s laptop or smartphone screen near wandering eyes at some point soon, whether it’s while checking emails in line on the coffee shop or finishing a crucial presentation on a flight. This issue of visual privacy — the safety of sensitive information because it is displayed onscreen — is emerging in information security but one who is simple to offer protection to on individual devices with tools like a privacy filter.

The Ponemon Institute recently released the Visual Privacy Productivity Study, commissioned by 3M, and located a significantly positive ROI to protecting visual privacy. Within the study, employees equipped with a privacy filter were twice as productive as those and not using a privacy filter because they did not ought to worry about data loss. For a corporation with 7,500 employees, lost productivity as a consequence of employee visual privacy concerns is potentially costing a company greater than $1 million annually. With the typical privacy filter costing approximately $40, this investment is recouped in months.

ROI: Strong and crucial to employee productivity.

5. Self-encrypted drives (SEDs). With the encryption capabilities of SEDs invisible to the user, it can’t be turned off and an employee’s workflow is uninterrupted. The tip user doesn’t take any steps to maintain this security measure in place, removing the human error or shortcut factor. The 2011 Ponemon Institute study, Perceptions about Self-Encrypting Drives: A Study of IT Practitioners, found that 40% of execs that report back to CIOs or CISOs believe employees within their organizations routinely turned off their laptops’ security despite the fact that 68% of the organizations involved had policies prohibiting this custom. Although SEDs have a better price point than standard drives, they curb the lack of confidential information which may come because of the lost or stolen laptops. Factoring in that a breach on this capacity is practically turning in confidential information to the enemy, SEDs are a worthy investment for any corporation.

ROI: Strong with little room for human error.

In summary, “fortress defense” security practices have a tendency to be the most expensive to implement and their ROI is contingent upon employee execution and upkeep, which could diminish the ROI. In keeping with the 2013 Cost of knowledge Breach Study: Global Analysis, human error and system problems accounted for 2-thirds of all data breaches in 2012. Taking an “armored defense” approach with solutions that limit the chance for human error are likely to garner the best ROI and supply a robust first defensive position for the organization. It’s vital for IT professionals to not overlook low-tech solutions, equivalent to privacy filters, SEDs and anti-theft solutions, in favor of complex systems to secure the fortress. A blended security approach combined with proper policies and employee educations ensures optimal security and ROI.