Security is essential for your network and your data. Once it compromise, the worst thing like completely out of service can happen, and believe us it is not nice.
It’s very important to understand that in security, it’s not only about best methods, best software or best equipment. It’s a risk management. Security implemented with two extremes in mind, absolute access or absolute security. Your data is absolutely secure if there no access at all, unplugged them from the network, power-supply and locked in a titanium safe. And why you want absolute access? Because it is absolutely convenient and simple for users.
Once you put security measures, everyone in your organisation must willing to accept that their level of convenience is decreasing and they must have to learn something. You can’t simply put high security measures to your whole system. Yes, it is highly secure but maybe people will be frustrated and decided not to work for your anymore. Imagine if an application is asking for password everytime user fill single data field. The cost will outweigh the benefits. It’s a risk management, you put security to minimise risk without require cost that will outweigh the benefits.
Every organisation needs to decide for itself where between the two extremes of total security and total access they need to be. A policy needs to articulate this, and then define how that will be enforced with practices and such. Everything that is done in the name of security, then, must enforce that policy uniformly.
