5 tips for effective information security
In the 20 plus years I have worked in IT, the change in systems and the demands for information security have evolved greatly. No longer do we rely on simply a router or a firewall to control our security, but we now look a lot deeper into the internal and external factors (contextual issues) that may affect our systems. At 2SB we consult on the implementation of ISO 27001, which is a comprehensive worldwide standard for information security and lays out many areas of best practice.
Here I draw upon ideas from this standard and highlight 5 commonly overlooked factors that can affect the security of information:
- Control external IT providers accessing or managing your systems
A client of mine often refers to “information and security” instead of information security and she’s not wrong. We often give suppliers privileged access to our business data, but do we truly question what information they are able to see.
Ask yourself, what is the risk associated with having third parties accessing your systems? How do we prevent malicious activity or accidental release of data from ‘trusted’ outside sources?
My advice would be to consider what the effect of a supplier misusing company information would have on the business. Consider your responsibilities as the security officer or director, and the reputational damage if there was a breach of data?
Supplier lists and due diligence checks are often not taken seriously enough, and supplier lists are notorious for gathering dust. External parties should at least be covered by confidentiality agreements and wherever possible they should be technically restricted from seeing sensitive business data. I would suggest it is looked at in more depth by every business.
- Restrict internal access to data and client lists
I cannot say how many times we assume that because someone is a manager or director that they are automatically trusted due to their position. We must of course trust our staff however consideration should be given to how much information each individual needs in order to do their job fully. If they don’t need access to data then access should be restricted.
Breaches don’t just happen externally. They happen from disgruntled or opportunistic employees who have access to information that could further their interests. Control of this access is essential to ensure staff and client privacy is maintained. Lock down that data and monitor logs of by whom and how the information is being accessed.
- Create a positive environment for breach reporting
One of the hardest things to do with information security is to get staff to report incidents. Why? Well, are you going to tell someone you made a mistake, just so you can get a bruising from a manager? Do you feel comfortable raising a breach caused by a colleague? Are you aware that an occurrence is even worthy of reporting?
The idea should be that staff do not fear reporting incidents but look at the benefits of a secure system to them. If the business has a breach for example and it costs so much to fix that the business shuts down, how will that impact them? If they don’t report a minor incident and it becomes a major incident, how will that affect them?
We need to change the narrative, and create a culture where reporting is promoted without reprisals (unless gross negligence is in play), so that all barriers to reporting are removed. Managers need to consistently display this positive behaviour to give staff confidence to speak up.
- Raise staff awareness of information security requirements
It’s one thing to ask staff to report a breach but if they don’t know what it looks like, how will they know it needs reporting? What about your IT staff? Do they brush off concerns raised by staff just because reports always seem to be from the same person?
I would suggest prioritising regular training of what an attempted attack or breach is, how to spot it and what to do if you even have a suspicion of one. Don’t brush over any incidents and think they’re minor. Minor incidents can often escalate to major incidents, if unchecked. Teach staff how to spot a breach so it becomes natural for them to bring it to your attention.
- Consider security of systems before purchase
Ahh, the world of assumptions. We simply assume that a system is secure because it’s the latest model of something, was recommended to us or has a great article written about it. Don’t be fooled by great labels, new packaging or bright new ideas. Do your homework before you purchase items. It’s a highly overlooked part of any ISMS.
My advice is to do your homework. Do your best to ensure it does what it says on the tin. You don’t want to find that you have systems, software or processes that create breaches or affect your culture around security. Companies will allow you to demo and test equipment before purchase so take them up on it.
It’s essential that we don’t place our systems at risk by not being thoughtful of things that affect our information security. Hopefully these tips provide some extra considerations when securing your business systems. Reach out to 2SB if you would like more information on anything covered.