Why should I take information security seriously?
Secure your information
Everyone will have come across the various government department data leaks that have been recently publicised within the media and quite often people are in disbelief at how such events can happen in the first place. Whether the data is millions of people’s bank details, a top secret document or some other sensitive information, the problem is the same albeit with varied degree of impact. Some incidents could cause reputational damage; it may be financial, or possibly have an effect on the running of the organisation.
So what is Information Security?
Information Security is basically how an organisation protects their assets; where an asset can be anything within an organisation that has a value to the business. It deals with the confidentiality, integrity and availability of all information related assets.
For example it is normal to have varied classification levels within your organisation which are assigned to information assets, the level of which is dependent on the sensitivity of each asset. Each classification would have a different security access level which is directly related to the impact of any data loss so if you have a document that is highly confidential this is going to be treated differently than a document which is unclassified because the impact of data loss is lower.
Information Security is not rocket science but many organisations still get the simple things wrong or don’t take security seriously enough. I am sure most businesses that deal with large amounts of cash wouldn’t carry it in a clear bag to the bank each day! Why should we deal with other valuable information so haphazardly? Just because an information asset doesn’t have an obvious monetary value, it doesn’t mean that you wouldn’t suffer damage to your business reputation or suffer financial losses if the information got into the hands of a competitor or the media.
It’s all very well me telling everyone to look after your data better and more securely than you currently do, but each individual business must assess the impact and risk of losing information or having data being compromised. To put this in perspective – what would happen to your business if you heavily relied on taking credit card payments via a POS terminal and the bank revoked your right to use one because of a data breach which was traced back to your company? This may seem far-fetched and you may say that would never happen to my business but the reality is that it could and banks are well within their rights to do this or insist that you put certain security measures in place, which would cost thousands of pounds to implement. No matter how slim a risk this may be it doesn’t negate the possibility of this happening, however if the banks see that you have good security measures already in place and very little could have been done to prevent such an incident they may be more lenient and the impact on your business could be significantly lower. Further reading on this subject could be found via the Payment Card Industry (PCI) Standard web site.
There are various methods that can be utilised to improve your security dependant on what your company needs and the best one in my opinion to look at is ISO 27001. This is an international standard which covers all areas of information security and is widely respected throughout the world. Whilst this may be too much for a small business to take on in its entirety as the standard covers 133 separate controls over the following 11 sections:
- Security Policy
- Organisation of Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
Most businesses will be able to take certain elements of what the standard covers and improve the way in which they look at information security. If every business did this our information would be a whole lot safer. Ignorance in no excuse these days for business owners so if they start to lead the way – people will follow! If we can start to educate people maybe information security will be a topic of the past rather than the topic of the day and perhaps we might start to handle the security of data in a better way.
At the end of the day Information Security is there to protect your company / client information and should always be aligned to the needs of the business rather than creating a barrier which inhibits growth. Perhaps we could look at how Health and Safety has been developed over the past 20 years and apply some of the methods to information security whilst still being realistic.
I would appreciate your comments on this subject ….
Thank you for talk about this. Hot posting on your blog. I was checking your blog posting and I have bookmark your blog already.
Hi! my spouse and i allowed to question what exactly is that web theme an individual making use of involving your web site? bless you.
It抯 too cool and beautiful to develop and motivate, build up character.This is the coolest website and stories that i have ever read卛ts useful for me as im a lecturer and always motivate my students with these publised stories卼hank you 卆nd waiting for plenty more?