4 key steps to protecting critical information and ensuring data security
For many organisations, data has become their business. Gathering, processing and storing vast amounts of information between multiple countries, devices and employees has become the latest tightrope act for management to walk. A recent independent report, the 2014 Information security Breaches Survey, has found that 60% of SMEs and 81% of large organisations surveyed failed to do this securely, and so have suffered a security breach as result.*
I am certain that many of these breaches stem from the fact that many SMEs and large organisations do not have the resources or will to operate an effective information security management system. Clearly, this isn’t the only reason. Global volumes of cyber attacks have actually decreased, but more organisations have been breached. This is because cyber criminals have stopped using noisy ‘pray and spray’ mass attacks in favour for stealthier, quieter and more subtle techniques – and this is paying dividends for them. Straightforward cyber criminals aren’t the only concern, organisations also need to defend themselves against hacktivists, disgruntled employees, corporate and state espionage. Furthermore, disruptive technologies such as the movement to cloud and the trend of bring your own device (BYOD) have further complicated the strategy and execution of effective cyber security. As we have witnessed, even when an organisation thinks it is in a mature cyber security position, attackers leverage unknown or neglected vulnerabilities, such as the social engineering attacks used in the Target and Home Depot breaches – which netted attackers a total of 96 million US credit card records. As an information security professional, it often seems that the odds are stacked in the attacker’s favour and we are playing catch-up.
So what can be done? Thankfully, most attackers still take the path of least resistance and those harder targets will only be pursued if the payoff is really worth it. This means organisations need to evaluate their information security management system across both the physical and cyber domains and take into account the holistic measures that may need to be implemented. There is no single technological, process or people-based magic bullet to protect sensitive data – it requires an effective management system governing these factors in both the physical and cyber spaces. I believe that this is achievable and suitable for organisations of any size and requires thinking about four main themes in the context of the plan-do-check-act cycle:
Gain Management Sponsorship
The key starting point is to establish authentic senior management sponsorship. Like any project, things can quickly grind to a halt if financiers won’t approve spending on resources required to improve gaps. However, sponsorship is more than just someone signing a cheque. Leadership and the management of change are key to inspiring an information security management system which is sustainable and effective throughout all of the organisation. Start by creating the need – perhaps a cyber security accreditation will build trust with stakeholders and unlock more business. Then encourage leadership by example – there is nothing worse than being told to lock your workstation when your CEO doesn’t do the same.
Classify Data, Assets and Risk
With the backing of senior influencers, the next key task is ensuring that you have in place an accurate asset register, which includes digital assets and data. This should be more than just a list of things and names. By also including risk metrics, affected stakeholders and criticality to the business, you have also started the basics of risk management and this will pay off when trying to identify effective controls and the priority for applying them. I often see organisations that classify physical assets in isolation to data, but only by merging the two, will interesting interactions be discovered.
Identify and Implement Controls
Only with the preceding stages complete can you implement something. All too often, I will hear advice from information security professionals telling organisations to implement data encryption, push all staff through mandatory training or jump straight to some other control. Without knowing the diamonds from the paperclips, you may risk trying to boil the ocean or miss the real chink in the armour. Where possible, I start by comparing the status quo to a well-established standard, such as Cyber Essentials, ISO 27001 or PCI-DSS, depending on the needs of the business. Then, based on the asset register, those controls which will give the biggest bang for buck can be implemented first.
Cyber threats and the risk to your data is constantly evolving. Your information security management system must evolve too. You have to know when things are working, but also when they need to change. Quality metrics are key to this decision making. I think a Balanced Scorecard approach provides a good foundation. For example, consider potential financial measures – what is the value of assets protected? Then consider potential learning and growth measures; do staff have the skills to spot and report phishing attacks? With these and other lead and lag indicators you should be in a position to steer away from potential danger and show senior management that you are doing the right thing to protect the business.
With thought in these four areas and a belief in continuous improvement, any organisation can radically change the odds and move one step ahead of the attackers before it is too late.
*The 2014 Information security Breaches Survey, commissioned by the Department for Business, Innovation and Skills (BIS) and undertaken by PwC