The rush to embrace digital technologies can put organizations at extreme risk. Here are six foundations for creating an information-security strategy that will keep your data safe.
Keeping up with the latest digital technology without proper data-security measures is akin to leaving the doors open while you give your home a makeover. Organizations need to protect their information assets, and digital technology implementations should not bypass or compromise an organization’s information
Indeed, every company needs to prioritize infosec strategy. This is easy to say, hard to do, as shown by the phenomenon of shadow IT — the proliferation of locally sourced IT systems without enterprise governance oversight. The demise of the once globally recognized Nortel is another powerful symbol of both the challenge and need for strong data-security measures.
For almost a decade, Chinese hackers used passwords stolen from top Nortel executives to download technical papers, research reports, business plans and other information. The progressive loss of intellectual property combined with an increasingly competitive market sealed Nortel’s fate. Perhaps the most illustrative lesson from the Nortel example is how after initially learning of the cyberattacks, executives treated the matter lightly.
Don’t make the same mistake. A digital-security strategy is critical to your company’s health, even if the threats happen to be less dramatic than those that felled Nortel. To that end, here are six foundations for building a resilient, robust and effective capability for information and digital asset protection.
1. Recognize that information security is not just the CIO’s job.
The role of the CIO is important. The CIO should work to enable information-asset-protection capabilities that are business relevant, effective and efficient, and constantly tested and refined. However, expecting your CIO to take care of enterprise-wide infosec on behalf of the organization is inadequate in today’s increasingly complex and interconnected digital world.
Takeaway: Effective infosec and digital-asset protection relies on effective collaboration across the organization. Adopting a multidisciplinary approach is critical.
2. Treat — and protect — data and information as business assets.
You and other business leaders in your company likely recognize the business value of the structured data held within your transactional systems — such as ERP or CRM. However, many fail to recognize the value of unstructured data that is typically held in spreadsheets, databases, ad-hoc data extracts and Word documents. This is a mistake. Word documents, spreadsheets or databases containing board meeting minutes, strategic investment plans and forecasts, product design data, or sensitive client proposals can all do damage to the organization’s reputation and prospects if made available to competitors. The resulting loss of competitive advantage or brand damage could — as Nortel found out — lead to the organization’s demise.
Takeaway: Treat important digital assets as you would important tangible assets. Define their financial or strategic value, and protect them with strong data-security measures. These should receive proper change management so as to be seen as a valuable necessity and not an imposition. Engender and maintain a vibrant infosec-aware culture, and do not leave it up to the IT team to “take care of.”
3. Protect important data on removable media and mobile devices.
The ability to store prodigious amounts of data on tiny memory cards, portable hard disks, mobile devices and memory sticks is a real risk to organizations in a number of ways. The ability to rapidly access large volumes of data from portable devices without authorization is a well-known risk associated with removable media. Think WikiLeaks. The accidental loss of a removable storage device containing sensitive information is a real possibility as these small devices can be easily lost or misplaced.
Takeaway: Assess the business value of implementing auditable access control technologies to monitor access to removable media. Ensure that all sensitive data on removable media is encrypted.
4. Know where your organization’s important digital assets are located.
Without an enterprise-wide awareness of what and where critical data and information exists across the organization, ensuring effective infosec protection is not possible. Data and information that already exists within your organization’s IT infrastructure can be identified and assessed. However, that newly created database or spreadsheet can be stored anywhere.
Takeaway: Establish an enterprise-wide taxonomy for key digital assets. Then ensure ongoing accuracy by building a maintenance-and-monitoring capability.
5. Recognize that not every data breach occurs because of an external attack. Employees can cause data breaches intentionally or inadvertently.
A global survey of organizations spanning 30 countries found that a third of data breaches occurred as a result of employee error. This suggests that organizations’ efforts in ensuring that their internal infosec controls lack effectiveness.
Takeaway: Define and implement enterprise-wide policies, processes and technologies — backed by education and monitoring programs that are granular enough to focus effort where needed. Allocate funding in departmental budgets to ensure that effective and ongoing security training and a surveillance culture is maintained.
6. Realize that meeting legislative and regulatory standards is just the starting point for an infosec strategy.
The primary driver for investments in enterprise infosec capabilities should not solely focus on achieving and maintaining information-security certification (e.g., ISO 27001). Certification, while indicative of serious attempts at maintaining infosec measures, does not imply effectiveness of these measures, especially in our rapidly changing business and technological environments. The daily drumbeat of data breaches across a substantial number of organizations, many of which held current infosec certification, attests to this fact. The same principle applies in meeting legislated requirements such as the disclosure of Personally Identifiable Information, Privacy Legislation or mandatory data-breach reporting. These standards should define the bare minimum.
Takeaway: Implement regular, enterprise-wide, innovative and random infosec testing processes that are not solely focused at the technical level, but also include the human level. This will ensure that information-security awareness and capabilities are top of mind for all staff. In addition, it will confirm the effectiveness of the organization’s security measures at both the technology and human levels. After all, nearly half of the known data breaches are self-inflicted — and that’s a statistic you don’t want to join.
In the new hyperconnected world of IT, the risks of an adverse cybersecurity event occurring for an organization are very real, whether they are self-inflicted or because of a sophisticated external hack.
Implementing strong information-security measures based on technology alone is a necessary but insufficient condition in ensuring overall infosec protection for the organization. The ultimate protection against cyberattacks and compromised data lies in ensuring the active engagement and commitment of every employee and manager across the organization to information security — and that has little to do with technology.