The employee as a core component of the security process

Each year companies spend vast sums on the security of their data. In most cases, this entails employing technical measures such as encryption at hardware or software level. However, security is an ongoing process, and not a static construct. Many companies forget this and are unaware of the gaps opening up in what seems like a secure IT infrastructure.

Most recently, a hacker in the US presented a method at the Black Hat DC (a well-known hacker conference in the US) which makes it possible to crack TPM (Trusted Platform Module). While the method is highly complex and expensive, it should put the need for protecting one's own data in perspective. The risk posed by this method is indeed negligible for most companies, but it does show that every technical method can be levered out somehow.

To counter this risk, staff at many companies are also trained to handle company data sensitively. But small businesses in particular often neglect the issue of sensitizing staff. The resulting area of vulnerability combined with the potential damages is many times greater than the cost of training staff.

To attain the greatest possible level of security, there should be an overall balance between technical and organizational measures. In addition, all staff must be made cognizant of the fact that security is a process that has to be improved on an ongoing basis and in which each individual employee also has a key role to play.