Experiencing an information security leak can be very costly for any organization, easily accruing a company millions of dollars in direct and indirect costs. In this article, we are going to overview areas of review to ensure you are not putting your organization at risk, as well as give 4 easy steps that you can follow to reduce your risk of information theft. Read on to learn more or click here to find out how Blue-Pencil can help make your business more secure.
Things To Analyze To Determine Possible Problem Areas
Below is a list of some of the areas that most often cause information security leak issues. This is by no means an exhaustive list, but is a great place to start. When assessing your information risk you should begin by tracing the entire lifespan of a document, from information creation to destruction, and analyze each step in that flow. This list is a great place to start and a great guide to where you should be focusing.
Document Storage & Management
One of the first places to look for holes in your information security is how your organization handles physical documents that contain information. With many organizations, there is a weak or nonexistent policy and procedure for document storage and destruction. If you fall into this camp, here is a free information destruction policy template.
What you want is clear outlines on what documents are to be stored, which should be destroyed and processes that ensure all no longer needed documents are destroyed. With no procedure in place or a lack of training on the procedure, you run the risk of a lawsuit, fines, competitive consequences and reputation damage, all of which you want to avoid. If this sounds like your organization, click here to learn more.
Potential Malicious Employees & Errors
According to a study by Vontu Inc. titled “Ponemon Institute’s Survey on Data Security Breaches” (^) the most likely threat to information security is not from outside your organization but within. The study found that 69% of companies reporting serious data leaks stated that they were a result of either malicious employee activities (30%) or non-malicious employee errors (39%). For this reason, we highly recommend organizations keep an active pulse on every employee’s engagement levels, removing employees with low engagement levels that may pose a threat to the organization. If you don’t have a process in place to track individual employee engagement, we highly recommend you implement a solution. In regards to employee errors, this can only be rectified by conducting more and better training with your staff.
Your organization’s information security will only be as good as the security behaviors of your employees. If you have a great policy but no one is following it, then you are still at risk. A great way to see how your organization is doing is to do a random check of 10 employees and see how they score on following your security policies and protecting the information for your organization the way you would want them to. If the employees score poorly, identify if this is because of a lack of training, lack of awareness, a lack of understanding the importance, or it or simply a lack of policies and procedures.
Consistency In Security Through To Suppliers
If you are sharing information with your suppliers and they do not have the same level of security with that information within your organization, that is a hole in your information security plan. Often companies forget to look at suppliers when reviewing their plans. For example in the Target security breach of 2013, the attackers exploited the web services application of their HVAC supplier (^).
Proper Protection Between Work A Personal On Mobile Devices
Adopting a bring your own device policy at your organization can cause severe information security risks. We are not recommending that you not adopt a bring your own device policy, but if you do you need to analyze it to see what risks it will present to your information security and how to combat them.
The risk created by a BYOD approach is both internal and external, with internal issues including misplacement or mismanagement of the device and external issues including manipulation of software vulnerabilities and the deployment of poorly tested, unreliable business applications. It is also important to create strong policies for workplace vs home use to avoid accidental disclosures due to loss of boundary between work and personal data.
Strength Of Passwords
Weak passwords are often an issue that can present an easy access point to your information for those looking to steal your information. For example, Target had a data breach of over 70 million stolen credit card and debit numbers (^), costing them $162 million dollars (^). When analyzed, a consultant found that this breach was a result of weak passwords. Within a week, the consultants were able to crack 86% of Targets 547,470 employee passwords (^).
An easy way to rectify this is to have rules and policies in place outlining requirements all employees have for all password creation. In addition to setting passwords, to need renewal every 30 days on the most important information can also provide an added layer of security.
What You Can Do To Reduce Your Risk
1. Conduct a self-assessment to determine the weak spots in your current processes
A great first step is to simply conduct a quick online self-assessment to identify areas in your information security that need the most focus. Below is a link to a very short and quick 6 questions self-assessment.
2. Consult With An Expert
Whenever working on any task it is always best to work with an expert. Information security is no different. When first looking at your information security we would always recommend contacting and having discussions with an expert. Some organizations may wish to work with the expert on an ongoing basis, others may decide to work with them just to set them on the right path. By seeking the help of an expert, you will be able to tap into the knowledge and experience of someone who deals with information security every day and can help you efficiently maneuver some of the common pitfalls. Here is a great article on the benefits of experts.
3. Create An Internal Security Team
The key to the success of any major initiative within an organization is having a strong team to undertake, lead and execute the initiative. We would also recommend that this team be sponsored and championed by someone on the executive team to ensure the team gets the resources and approvals it needs to be effective. We would argue that information security is so important to any organization that the President himself should be who champions the team. If information security is not handled properly it can cost the organization millions of dollars and ultimately jeopardize the viability of the company.
4. Have Someone Within your Organization Become ISACA CISM Certified.
CISM certification is the globally accepted standard for achievement in information security training and knowledge. By having someone on your information security team who completed this certification greatly improve the effectiveness of your information security programs. Employees with this certification can:
- Identify critical issues and customize company-specific practices to support the governance of information and related technologies
- Take a comprehensive view of information systems security management and their relationship to organizational success
- Demonstrate to enterprise customers their commitment to compliance, security and integrity; ultimately contributing to the attraction and retention of customers
- Ensure that there is improved alignment between the organization’s information security program and its broader goals and objectives
- Provide the enterprise with a certification for Information security management that is recognized by multinational clients and enterprises, lending credibility to the enterprise
- Bring credibility to the enterprise for which they are employed
What Is Information Security?
Information security, sometimes shortened to InfoSec, is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical documents, audio recordings).
Sources For This Article: