You Need to Protect your Firm’s Valuable Information
The latest survey on Information Security breaches makes for sobering and worrying reading and shows that many firms are failing to protect their valuable information. According to the 2015 Information Security Breaches Survey, 74% of Small and Medium Sized Businesses (SMEs) and 90% of Large Companies have suffered an information security breach in the past 12 months.
Counting the (Significant) Costs of not Protecting your Valuable Information
Not only is the sheer number of such breaches staggering, so also are the costs. Each incident is estimated to cost SMEs somewhere between £75,000 to £311,000 whilst costing large companies between £1.46M to £3.14M. These are sums large enough to worry anyone.
These facts should have every Business Owner, Board Member and Senior Executive asking the question;
“How do we Protect Our Valuable Company Information?”
Download your FREE Guide here
Steps to Take to Protect Your Information – A Guide to Better Information Security for Managers
Information is the lifeblood of every business today. Without the correct information, available when required, your company is likely to wither and eventually die. Of course and sadly, that vital information is also of great interest to others, be they your competitors or simply crooks and rogues. Your valuable information is highly desirable by people who will use it against you; who will use it to affect your reputation, cost you money and lose you customers.
So you need to be on guard. You need to work to ensure you protect your valuable information and keep it where it belongs – where you know its Confidentiality, Integrity and Availability can be guaranteed.
We aim to provide you with some simple steps you can take, or check you are taking, to make it more difficult for the bad guys to steal your valuable information and to help your employees be more careful with your precious information and intellectual assets.
And don’t forget – that valuable information doesn’t just reside in documents and databases, buildings and computers or in the ‘cloud’; it’s also inside the heads and hearts of your employees. Their tacit knowhow and knowledge may well be the most valuable intellectual property of all.
Know Your Valuable Assets
To paraphrase George Orwell, “All information is equal, but some is more equal than others.” Depending on who you listen to, the amount of information that’s actually of ‘value’ inside organisations is less than 30% of the total collected and stored and may even be less than 10%.
Of the ‘Virtual and Physical Mountains’ of paperwork (computer records, documents, emails, drawings, reports, brochures…) only a very small percentage is actually of value and needs keeping secure. The rest is landfill. The questions you really need to ask are;
- What is it?
- Where is it?
- Who in the company ‘owns’ it?
- Why do we need to keep it?
- For how long?
- How will we protect it, whilst giving access to it to those who have the right to see and use it?
Simple enough questions, not often rigorously asked or answered.
Leaders – Walking the Talk
Nothing, but nothing will reduce your efforts to improve information security to a waste of time, money and effort, than a lack of commitment from the leadership team.
This has to go beyond fine words and rhetoric.
Worse, if you insist on every employee adhering to good practice, to following sound procedures and principles and then they see their managers and leaders acting as if it doesn’t apply to them, your employees will rebel.
They may do this subtly and quietly. However, rebel they will. And the end result may well be worse than if you hadn’t started out in the first place.
How Being Positive Makes the Difference
Conversely, nothing works better to improve your firm’s ability to look after its valuable intellectual information assets, than a motivated, committed leadership team who walk their talk.
Seeing senior people show a real interest in information security, offering more junior employees advice and assistance, encouragement and praise when they do something right will undoubtedly have a positive impact on all aspects of the programme.
How Much Risk is Okay?
No firm operates without taking on board risk. Every firm takes a different view of the level of risk it is prepared to accept. This is a truism that is masked by the fact that few companies make the effort to explicitly decide on their acceptable risk levels and then manage their risks to meet those levels.
We live in a Volatile, Uncertain, Complex and Ambiguous (VUCA) world. A world of ‘Black Swan’ events that can catapult the seemingly most stable business from wild success into failure and vice versa, seemingly overnight.
We therefore recommend that you add or include Information Security risks in your overall business risk assessment list along with Strategy, Safety, Finance and Operational risks.
Why? Because as with the others, it has the capability to affect your firm’s Reputation (for good or bad), your Revenue and your Profitability.
Technology is a Part Answer
If you were to listen to the IT and Technology suppliers, you’d be forgiven for believing that buying enough of their solutions would solve all your Information Security problems.
And it would be really rather simple and easy (if expensive) were that the case. Of course it isn’t the answer; part of the answer yes, but not the whole answer by any means.
We see firms jump in and make buying decisions too quickly. By that we mean, deciding on the technology before they’ve decided on the risk treatment. This leads to wasted expenditure, overlapping solutions and even worse, gaps in security. You end up with a patchwork of partial answers…but in total, they don’t answer all the right questions. And that leaves your firm with a risk, very probably a risk you hadn’t even considered in your risk assessment.
That said, you will undoubtedly need to apply technological solutions to meet many of your risk treatment action plans.
Process, Procedures and Systems ARE Necessary
One of the main benefits of ISO 27001, the global standard for Information Security Management Systems is that it forces firms to introduce, develop, maintain and continuously improve their approach to Information Security.
For business that are serious about demonstrating that they take Information Security seriously, it therefore provides a powerful framework and readymade template. Whilst it is highly flexible, because it is built from the individual business’s approach to risk, the common element is the expectation that the system is documented, that processes and procedures are written and that records are maintained.
Even if you choose not to take the ISO 27001 route, the basic premise of creating and maintaining processes and procedures still makes perfect sense. These documents will help you ensure that you are covering the bases, that you are delivering against your Risk Assessments and that you are learning from your previous activities. The systematic approach also helps you in developing a consistent approach across your business and often leads to improved cost control.
Your People Are Key – Engage the Human Firewall
According to IBM’s latest report (IBM 2015 Cyber Security Intelligence Index) 55% of attacks and incidents are from ‘insiders’ i.e. from people who have permission to access their employers’ systems and information. Just over 31% are classified as people who have done this with malicious intent, the remaining 24% IBM terms ‘inadvertent actors i.e. negligent or accidental.
The fact is people are the cause of almost all Information Security problems and people, primarily your employees, can be your greatest weapon in helping prevent, detect and correct those problems…with the help and support of your procedures and technology of course.
Security extends beyond the computer. Your employees can be targeted by phone, in person and by letter. Their behavior in public places e.g. their conversations and use of computers are also potential sources of vulnerability.
One of the biggest challenges is to get your employees engaged around the whole issue of Information Security. All too often it is viewed as a dry, IT issue, best left to the technologists in the firm.
You have to change that perception.
Measure and Improve
Improving your Information Security is a programme, not a destination. It’s a culture change programme, not a one-off project. Done well, it has the potential to focus your efforts to achieve other positive aspects of culture change, given its all-pervasive nature and the need to involve everyone in the business (and in your supply chain, partners and potentially customers and other stakeholders as well).
Effective Information Security Management is a constant process of continuous improvement, against an adversary that is also engaged in a similar process.
Find out more by contacting us on +44 (0)1252 727 980