Cyber attacks such as ransomware, phishing, and man-in-the-middle active eavesdropping are occurring with increasing frequency, breaching confidential information and resulting in significant loss for both private and public organizations. An important and common immediate response is to focus on implementing IT and cyber security countermeasures such as strong anti-malware or virus software, smart intrusion detection and prevention systems, patches, and the latest encryption software. While these countermeasures that focus on digital data are a very critical part of the solution, we at Castellan Information Security suggest that a more integrated approach is required to truly protect an organization's information.
Information security can't simply be handed over to your IT department or specialist and assume that your organizational risks have been sufficiently mitigated. It also can't be assumed that because your data is stored in the cloud you have adequately addressed the threat. Organizational approaches to information security must go beyond deploying IT countermeasures as the sole strategy to address these real threats.
While external cyber security attacks continue to be a significant problem and garner much attention in the media, the challenge is larger and more complex that this. Analysis indicates that approximately half of data breaches are the result of other factors such as staff mistakes, mishandling and losing non-digital information, malicious insiders, and a lack of organizational attention to implementing the measures required to secure sensitive information.
Inside threats and vulnerabilities, such as those outlined below, help demonstrate that organizations must implement measures that go beyond protecting solely against external cyber attacks:
• Mistakes made by employees due to a lack of training or awareness.
• Disgruntled former and current employees.
• Current employees susceptible to corruption.
• Insufficient understanding of privacy legislation and obligations.
• Absence of security incident reporting or information security classification systems.
• Lack of internal policies and procedures on information management and security.
• Soft practices for collecting, using, storing, handling and destroying information.
• A corporate culture that does not prioritize information securing.
• Managers who do not set an example for the proper handling of information.
We are not suggesting pulling back on tactical IT and cyber security countermeasures; however, we are suggesting that a more integrated approach is most effective in building a long-term and sustainable information security program. Management must take ownership of the issue similar to other corporate or business priorities by incorporating information security into their organizational governance, corporate culture, and procedures.
As the importance of information security rises and the complexity of threats evolve, executives, and security professionals should be encouraged to address this challenge with the same level of integration that they would apply other business priorities. A sustainable information security management program must integrate cyber security countermeasures with enterprise-wide corporate security planning and practises.
Castellan Information Security is a Winnipeg-based 'end-to-end' information security company that specializes in information security and have worked with both large and smaller private and public organizations to help them reach their information security objectives. If you have questions about this article or would like to speak to us about how our services can help your company protect its information, please feel free to have a look at our website at www.castellaninformationsecurity.com or contact us directly at info@castellaninformationsecurity.com.