Information Security Management Fundamentals for Non-Techies

Information Security Management: Is Your Organisation Secure?

In the 1987 film ‘Wall Street’ Gordon Gekko said, ‘The most valuable commodity I know of is information." The unscrupulous Gekko, played by Michael Douglas, profited from inside information gathered through a network of contacts. Some things don't change.

The Value of Data

Since Gekko delivered that prophetic line over 30 years ago, the digital age has dawned. Social media drives our hyperconnected networks. No wonder personal data is now considered by some people to be more valuable than oil. 21st-century leaders know the issue of information security and data protection is business-critical. The question is, how to secure an organisation’s IT systems, processes and people?

Major Breaches

Although companies take the duty to ensure that client data is protected seriously, data breaches and cyber-attacks still make the news. In 2018 Facebook stated 50 million of its users' data had been leaked. Earlier this year the social media giant announced that over a hundred million people’s passwords had been accessed. Even before this bombshell, 2019 had already seen several well-known organisations suffering breaches. Microsoft Office 365 said that a proportion of their email users were hacked. German politicians were also targeted. Chancellor Angela Merkel’s email address and correspondence was leaked. Another German politician had their credit card details revealed online.

Over 14 Billion Records Compromised

At the global level, Gemalto’s Breach Level Index collates the frequency of data breaches and rates the severity. According to the database, nearly 15 billion data records have been either lost or stolen since 2013. Of this staggering figure, only 4% of the data was encrypted, leaving 96% of data ripe for unauthorised harvesting and exploitation by third parties.

The Challenges

Unfortunately, the systematic securing of data has gone beyond the simple installation of a firewall or anti-virus software. Information security can be compromised for a range of different reasons. Some of these reasons may be innocent or careless, but many are malicious and criminal. External attacks are a continued organisational threat. A 2018 research study found that, on average, 25% of data breaches are caused by employees. Whether through mishandling data in ignorance, negligence or malpractice, it's a serious issue. From an employee who inadvertently clicks through on a phishing email leaving the company exposed, to bad actors launching a co-ordinated and pre-planned cyberattack, the complexity of the challenge is that there is no single solution to secure all data all of the time.

Stiff Penalties

Whatever the cause of a data breach, affected organisations not only find themselves the subject of substantial regulatory penalties but also suffer significant reputational damage. In July 2019, British Airways was advised it would be fined a record sum of £183.39 million for the loss of credit card information by half a million of its customers. If large multi-nationals such as BA, Facebook and Google, who closed Google+ in 2018 as a result of ongoing security weaknesses, are this vulnerable what can SMEs do to protect their customers’ data?

The Fundamentals

For many reasons it’s clear that information is a prime business asset that needs to be protected. To deliver effective information security, systems must be underpinned by the principles of confidentiality, integrity and availability, otherwise known as the CIA triad.

Confidentiality must be considered at a range of levels across the organisation. Access to any personal data should be strictly controlled, based on a clear business purpose. All employees should receive training to ensure they are fully aware of their responsibilities and diligent about compliance to avoid breaches.

Integrity is concerned with data accuracy and the prevention of unauthorised or unintentional data modification. Any corruption of data compromises data integrity.

Availability ensures that data is accessible to authorised users when required. Although websites can go down due to power outages or technical issues, in these cases there is no additional security issue. When a hacker takes down a site, preventing access, this is called a Distributed Denial of Service or DDoS attack. DDoS attacks work by flooding the site with traffic from multiple sources.

Any organisation whose IT systems and processes fail to embed these fundamental principles or put sufficient monitoring and control measures in place will always be vulnerable to threat. An organisation's people are often a weak link and robust systems, processes and training should be in place to mitigate against human error. To manage the risk optimally on an ongoing basis, there are significant benefits to outsourcing data security solutions. No leader wants to hear the words, 'there's been a breach'.

Invest in IT Managed Services

With global companies regularly under the spotlight for data breaches or cyberattack, company officers responsible for data in Ireland will want to invest in solutions that provide peace of mind. Outsourcing information security expertise comes with many benefits including fixed costs, technical support, regular updates and upgrades. Note that when an information security company holds the international ISO 27001 certification, the client can be reassured that it has been awarded the highest security quality standard. Contracting out IT managed services provides the client with access to the most advanced information security solutions. It also provides full accountability for data security and allows the organisation to get on with delivering the core business objectives.

Kieran FallonIT Force