Access to information vs confidentiality


In an era when improving access to information throughout the ranks is considered imperative for empowering employees, increasing productivity and enhancing decision-making, companies are increasingly faced with the dilemma of how to protect that which is confidential.

Protecting data from unauthorised access is one thing. But, companies also need to consider how they are to protect the confidentiality and integrity of information that employees, in terms of their roles within the organisation, are actually authorised to see.

"Companies have long recognised the benefits of improving the availability of information across their ranks. Over the past decade or more, many companies have invested quite heavily in systems that help them to make information more readily accessible.

"However, doing so comes with enormous risk and the obligation to protect confidential information becomes more onerous. Protecting the privacy and integrity of information that they allow their employees to access on a daily basis is a significant business challenge,' says Richard Broeke, Security Consultant at Securicom, a specialist provider of managed IT security services and solutions in Africa.

A lot of companies are bound by legislation to keep information confidential. Organisations like banks, insurance companies, medical aid companies and any other business that deals with sensitive or confidential information have a legal responsibility to ensure that private customer information is not accessed by anyone outside the company.

When information of a sensitive or confidential nature is modified or seen by people who shouldn’t see it, whether as a result of a human error or intentional tampering or facilitation, companies could face legal liability. But liability aside, losing face and trust amongst stakeholders and the public can also weigh heavily on the bottom line in the long run. Nobody wants to do business with a company they don’t trust.

Of course, companies also want to protect their intellectual capital. With all of this in mind, it would seem that reaping the benefits of better access to information while maintaining confidentiality of information would be pretty much like trying to mix oil and water, achieving the impossible. But, Broeke says it is achievable.
"Companies can have the best of both. However, it’s got to be smartly, tightly and effectively managed,' he says.

To get it right - that is, increasing availability of information across the enterprise while keeping what should be kept confidential, confidential - companies need to have a flexible and multi-pronged strategy that can be adapted as the environment and needs change.

They also need well-defined security policies and procedures, must use robust tools, and should keep a close watch at all times.

A security policy is concerned with these important issues:

• High-level description of the technical environment
• Comprehensive definition of what must be secured
• Description of the legal environment in which the business operates (regulatory compliance)
• Risk analysis that clearly identifies the company’s assets and the threats that exist against those assets
• Guidelines for system administrators on how to manage systems
• Defining user profiles and access levels
• Definitions of acceptable use of company email, internet access, computers and information
• Guidelines for reacting to an intrusion or a security breach or event

"Employees are the biggest threat to a company’s IT security and the confidentiality of the information it stores. Education is therefore a key component for IT and data security. Companies must define and clearly communicate the rules governing the access to and use of information. Employees also need to understand the consequences of contravening company policy,' he says.

Continuous monitoring of the security status of the network and activity on business critical machines is essential if a company has any hope of maintaining confidence in the security its infrastructure and data resources. Technology obviously makes this task far easier.

"Once again, a multi-level approach and multi-layers of protection is needed for companies for which high security and confidentiality are the key priorities. With appropriate technologies and devices strategically placed across the architecture, companies can control who has access to what information, the type of information that certain levels of users can extract from company machines using portable devices, and the type of information that is allowed to enter or leave the network via the web or in emails,' says Broeke.

"Giving users access to information while ensuring utmost confidentiality doesn’t have to be a tall order when a solid security policy and best of breed security technologies are applied.'