The entire organisation is responsible

Reflection

How good is the security culture in your organisation?

Do people incorporate cyber safety precautions into their day-to-day tasks? Is there a good general awareness amongst staff, regarding Information assurance? Take a moment to reflect on these questions.

Security as an enabler, can also be seen as market differentiator

Security is often seen as an inhibitor to doing business, sometimes by adding excessive costs to projects. This needs to be changed and security really needs to be embraced as a business enabler, because it can provide the following:

• Security can allow new ways of doing things, such as mobile working, that may have been considered too risky before it was evaluated by the security architecture team
• Security can improve working practices as it forces businesses to focus on process optimisation and efficiencies
• Security can minimise future costs due to non-availability of data or unauthorised release, so while it may cost money to implement controls today, it may save ten times that in losses over time

Consider a large organisation implementing a system where users need to authenticate to a printer in order to collect their output. They do this by swiping their ID card on a reader attached to the printer. The new printing system also provides additional facilities, which yield a massive benefit for the organisation, such as:

• If printed output is not collected, it saves the cost of paper
• Default print options can be enforced, such as duplex printing to save paper
• Users can collect output from any printer without having to specify which printer is used – this makes using the print service very easy

One less tangible benefit from a corporate point of view is having this good story to tell – of how important security is to the organisation. This is a true market differentiator, enhancing your company’s image, as well as the positive effect on company value.

The use of appropriate countermeasures and contingency plans can also have the very beneficial effect of making the work done by an organisation much more orderly by being based on best working practices. Piles of paper and computer disks left lying around on desks, floors and shelves can be a security disaster waiting to happen. With an Information Assurance standard in place, such things should be a thing of the past and the need to spend many hours finding a specific piece of information should be long gone.

An integrated model

Before going any further, it’s key to understand that security must not be treated separately from the rest of the business. Also, security is not only the responsibility of the IT department, or the information security manager, who is responsible for personnel and physical security. Instead, it has to be part of the culture of all staff in the organisation. Making everyone a stakeholder in security means they can all play their part in upholding the security of your information.

To be effective and ensure that it’s integrated into all systems and processes, security must not be an afterthought to your existing business model. Whether you’re designing business processes, building an IT system, or a new product, it should be incorporated from the very start. One of the costliest mistakes projects make is to try to retrofit the right amount of security at the end of development.

Typically, this results in two things happening:

• Additional costs – it is always more expensive to add things later
• The result not being as good as it needs to be. Adding in new components at the end of a system development cycle often leads to mistakes and inadequacies

The Microsoft Windows operating system is a great example: it was not initially designed with security in mind. How long has it taken Microsoft to get to the point where Windows security is considered robust? Microsoft now annually spends over £1billion on cloud security. See here for more on Microsoft failures along the way.

Business drivers

Now it’s time to examine the various business drivers that impact security.

Government – Cabinet Office – NCSC

Increasing use of the Internet to perform transactions, whether for business, consumer buying, or citizens interacting with the government, has certainly had an effect.

There is also an increasing need and desire to store information online, for example:

• Personal information held by the government on citizens, such as for tax and pension purposes
• Ability to perform online banking actions and have access to your personal or business account details
• Credit card details so that you can purchase goods on the Internet
• Social networking sites, such as Facebook, Twitter and LinkedIn, where personal details are stored and shared

Many organisations operate or sell goods in other countries which means they need to securely transact with overseas parties and follow local laws and regulations relating to the storage and handling of personal data – especially if they transfer personal data abroad.

All of this accounts for the importance of and difficulty in keeping information secure.

Considerations for information security and the business impact

Maintaining the integrity and authenticity of transactions and communication between parties is a cornerstone of online business. The risks of malware infections through unsolicited email, phishing attacks and data loss are numerous.  Examples of these include the loss of a laptop with sensitive data on it, criminals luring unsuspecting users to a rogue site to steal their data, or the compromise of credit card information held by online merchants, – there have been some well-publicised examples of this.

Many security experts consider the insider threat by disgruntled staff as the biggest threat source to organisations. This can range from a system administrator with full access to an organisation’s systems, to individual employees who have access to confidential information.

Consider the increased use of outsourcing and offshoring over recent years and the continual adoption of cloud services. Organisation mergers and acquisitions also contribute to the changing landscape.

• Incompatible cyber security culture
• Technological integration – risk of unforeseen cyber attacks
• Identifying dormant threats
• Information Technology (IT) resiliency risk
• Data security - acquiring company must determine the cyber security posture of the target company to mitigate the risk of a data breach

Yahoo! has been criticised for their late disclosure of their breaches. The breaches impacted Verizon Communications' July 2016 plans to acquire Yahoo! for about $4.8 billion and resulted in a reduction of $350 million in the final price of the deal made in June 2017.

What's next?

You know that personnel can pose a risk if not on-side with company policy and ethos, next you will examine the ways we can defuse this type of risk by bringing staff into alignment.