Early on, some companies tried an approach described as “security by obscurity.” Like putting packages in your car’s trunk while shopping, what thieves couldn’t see they couldn’t steal. Of course, during some parts of the year, thieves know every car at the mall is shopping, so this trick doesn’t always work. And hackers always know that, for instance, e-commerce websites have credit card information somewhere, so hiding the file in a new location won’t work either.
Invisible information security works to hide the parts users hate about security while still remaining safe. This can be a great move, for two reasons. First, of course, if you authenticate users “invisibly” by device ID, IP address, or use of a single sign-on system, there’s no user-generated password for hackers to easily solve with a basic dictionary attack. The less a user has to do yet remain secure, the more secure your system.
Second, using this approach means security considerations are part of the planning process for the project at hand. Too often, security is tacked on like a coat of paint on a house rather than integrated into the application, like the foundation of a house. Getting management approval for invisible information security means security concerns are high on the list of project requirements.
During planning, a focus on invisible information security also means data safety processes will not interrupt the user. Backup, a critical data safety process, used to be a user-driven process, and failure was the norm. Now, backups happen automatically, users don’t get involved, and data safety improvements skyrocketed.
Simple things make a difference. Code all the browser links to automatically use HTTPS, or Security HTTP, for all connections. Apps from smartphones and tablets should use the same secure, encrypted access process. The user never sees this, so they can’t bypass this security measure.
Encryption is another data safety process that users don’t see. Backup files should be encrypted before being transmitted, which improves security during the trip and when the data is at rest. Companies working in compliance-heavy industries, such as healthcare, should encrypted all data by default.
Data Loss Prevention tools fall under the category of invisible information security. Protecting the company’s Intellectual Property (IP) from employee misuse, intentional or otherwise, will be invisible to those employees not trying to copy IP out of the system. Guarding critical files, especially customer and patient records, and monitoring those files during their workflow process takes planning and effort but pays off by drastically reducing the instances of internal accidents, or theft.
The management process of rating company data based on criticality drastically improves data security by forcing security concerns to the front of the project planning process. Heightened security concerns make it possible for IT pros to convince management that the old “M&M” security approach – hard shell protecting the candy inside – no longer works. Incompetent or mischievous employees are already inside your hard shell, so there must be security inside. And making the security invisible means users can’t bypass it. Security the users can’t bypass is the best security.