Closing Gaps in Information Security Goes Way Beyond Technology
Mitigating the risks caused by breaches to company information is not only based on compliance and the use of security technology and software programs; it's largely an issue of understanding your business and motivating staff buy-in. This is the opinion of J2 Software's managing director, John Mc Loughlin, who advises on prevention strategies, including embedding a culture dedicated to protecting the intellectual capital of organisations.
A number of high-profile security breaches around the world have pointed to how costly and devastating this can be to a business and its reputational management. Developing countries are particularly vulnerable with the rapid spread of Internet connectivity and accessibility. Individuals and organisations without watertight security measures in place can fall prey to increasingly sophisticated strategies to get users to part with sensitive information.
"It is a critical that your users are the first line of defence and are highly motivated to become the guardians of an organisation's information," says Mc Loughlin. "It is virtually impossible to plug every hole as the protection of information would become a never-ending task. Yet a reactive response to specific incidences of security breaches as they arise is also counter-productive."
He is a firm proponent of a comprehensive management risk strategy that starts at executive level. "Companies should put the same emphasis on information security as they place on health and safety. Today's competitive information-driven economy that often relies on quick implementation of business opportunities makes ICT governance, risk and compliance (GRC) utterly essential and should be part of a company's DNA from board level through to all departments and functions for sustainable growth. New laws and governance codes should be seen as an opportunity to increase your competitive advantage and not as an inhibiting factor.
"Ticking boxes to comply with regulations won't protect your business. You can't implement a strategy if you don't understand how information flows in your business and the risks associated with outsourcing. The information architecture blueprint and its evolution need to be continually shared with staff using a number of visible and high impact communication tools. These include trained facilitators, security road shows, computer-based training, visual reminders such as screen-savers, annual security weeks, workshops and live simulations.
Staff should also not be censored for revealing errors, but encouraged with recognition for spotting internal and external threats and implementing security measures. An understanding that user mistakes are considered an opportunity to learn is a good place to start and encourages proactive monitoring and enforcement," he says.
Experience has shown him that non-compliance is often not malicious, but rather a factor of human error and a lack of in-house expertise. Another factor is compliance fatigue from ever-changing legislation and cost-avoidance.
A baseline audit is useful as a compliance assessment exercise to motivate the board and senior executives in an effort to gain their understanding and support for backing security measures and any additional funding that may be required.
"Computer-based solutions and ongoing training are the most powerful methods of instilling staff awareness and ensuring adherence to policies. Condensing lengthy policy documents and audit reports into practical solutions should be driven by the IT department, with support from HR, so as to be dynamic and easy to implement. Automated electronic tools, and ongoing awareness integrated across all departments, help combat new threats that result from changes to the business and increasing external threats.
Information and documents moving between departments can mean that the confidentiality and protection of this information is compromised so it is essential that an organisation instils a general understanding that it's everyone's responsibility to protect the intellectual property of the business, no matter how insignificant it may seem.
"All of these factors must be taken into account when considering the implementation of a long term governance, risk and compliance strategy," Mc Loughlin concludes.