In the IT world, we can access data quicker and with a fraction of the effort required three decades ago. And with that quicker and easier access, comes responsibility. Just because data and systems can be accessed with relative ease, it does not mean that they should be accessed; or that the ease of access implies a right to access.
The need to respect boundaries and privacy of data is just as important today as it was before the widespread introduction of computers, and the internet. 60% of data breaches occur because of internal vulnerabilities, and no business can afford to ignore the risks.
Security Management is not a bunch of tools and equipment; it is an acquired mind-set and way of thinking. Your local IT geek or team, for the most part, spend their career making systems and data more shareable and accessible. For the most part, they are unaware of what they don’t know. Many will adopt offsite or cloud services for their clients, without little or no due diligence, other than reading the marketing hype.
Over 90% of security breaches that I get called to look at, could have been easily avoided with an active internal company security policy and a properly managed network.
The principles in Microsoft's 10 Immutable Laws of Security Administration, published in 2000, are for the most part still relevant today.
“Law #7: The most secure network is a well-administered one
Most successful attacks don't involve a flaw in the software. Instead, they exploit misconfigurations.
The most important tool here isn't a software tool—it's procedures. Having specific, documented procedures is an absolute necessity. As usual, it starts with the corporate security policy… The more specific these procedures are, the better. And write them down!”
I always advise having a proper security audit carried out, to determine the level of risk in your business.