Why investing in information security should be top of the agenda
June 2017 | EXPERT BRIEFING | RISK MANAGEMENT
The digital age has transformed the way we store and process information, with developments in technology enabling us to become more efficient than has been previously possible. As businesses deal with ever increasing volumes of information, with a particular reliance on computers, it has never been more important to protect our data. The threat of a breach looms over businesses big and small, and could have serious implications for any organisation in possession of information.
ISO certification is widely considered to be the ‘gold standard’ of information security. To achieve this status, organisations must complete rigorous risk assessments and audits – both internal and external – to prove they are taking every precaution necessary to limit the possibility of a security breach. An information security management system (ISMS) is a systematic approach to managing company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
What is information security?
It is crucial to establish what is meant by information when considering what should be protected. Businesses need to look beyond raw data files and protect all information regardless of the form it may take. That which needs to be secured is not limited to consumer data but includes a whole range of documentation from client details, work and financial information, down to names and addresses contained within HR records. It is good practice to encourage employees to protect all files, both digital and hardcopy, regardless of whether or not they appear to be confidential.
A data breach is considered to be any event which has the potential to affect the confidentiality, integrity or availability of information. It comprises everything from subjection to certain computer viruses and cases of passwords being hacked or revealed, to transferring data insecurely and leaving sensitive documents out in view.
In recent years, a series of high profile companies have made headlines following full scale cyber attacks. Tech giant Yahoo has suffered two separate major data breaches in the last five years. With the details of 1.5 billion accounts stolen, this is generally considered the most significant breach in online history, in which hackers gained access to names, contact details, passwords and security questions. However, it is important to remember that data breaches are not always the work of malicious cyber criminals. Last month, a London city worker was fined £75,000 for sharing client information via mobile messaging service, WhatsApp. This is not an isolated case and data breaches are all too often the result of human error. Regardless of whether an incident is accidental or intentional, any breach of security must be reported and taken seriously.
What are the benefits of protecting information?
The likelihood of a security breach is increasing. As businesses and their employees deal with more data and information, hackers are simultaneously inventing more sophisticated means of gaining access. It goes without saying that many cyber attacks or information losses start via suspect emails sent to a business. It is therefore important to introduce and maintain IT systems to reduce this risk.
From a financial perspective, the investment in training and awareness far outweighs the potential fines associated with a data breach. On top of the penalties and compensation costs, companies often suffer from further financial implications as a result. For example, when Yahoo was acquired by Verizon Communications, the offer was lowered by $350m following news of the breaches.
It is true that rebuilding consumer trust post-breach can often prove more difficult than the financial recovery. Businesses work extremely hard to initiate and maintain relationships with customers but if people have any inclination that their personal data is not secure, even the most ingenious marketing campaigns will fall on deaf ears.
Aside from avoiding embarrassing and costly breaches, adopting a strong stance on information security can also have a positive impact on attracting new business. Data security is moving rapidly up the agenda. The ISO information security standards are fast becoming the first question on the majority of due diligence security questionnaires. Companies that can demonstrate a strong focus on information security will have a competitive edge, especially when targeting blue chip clients.
What is involved in ISO certification?
In addition to deploying the information management system, financial costs also occur in terms of internal resource and time. Organisations will need to create an information security management team (ISMT) who act as a steering group in charge of implementing the standard, from writing various information security policies and ensuring the IT environment is in order, to educating staff on protocols.
It is likely that employees will be keen to embrace any changes, but may require training to escape bad habits. Educating employees on information security requirements involves a continued effort rather than a one-off training session, which is a large investment for any business. However, this ensures continual compliance and makes information security routines become second nature for employees, preventing them from slipping back into old habits.
Perhaps the most challenging part of this process is facilitating the cultural change which is associated with this new approach. Regardless of seniority or department, information security is the responsibility of all employees. Long gone are the days of an IT team and compliance department that are solely responsible for these issues. Today, every individual in a workplace needs to take ownership and protect the information they work with. This includes simple steps such as locking computers and keeping paperwork hidden, as well as the more complex duties and protocols involved.
Is it worth it?
There is no getting away from it; businesses need to equip themselves properly in order to protect their data. With reputation and financial stability at stake, the benefits of investing in information security certainly outweigh the costs. Keeping confidential information secure provides customers and stakeholders with confidence in how an organisation manages information, and meeting legal obligations gives companies a competitive advantage.
Andrew Bridges is data quality and governance manager at REaD Group. He can be contacted on +44 (0)20 7089 6400 or by email: firstname.lastname@example.org.
© Financier Worldwide