A holistic approach to information security
We live in an age where we depend on information and therefore we expect information to be readily available on demand, regardless of where we request it from or of the medium we use to access it. Inevitably, this new age of information-on-demand has triggered the collection of large volumes of data challenging the very way in which we ought to be dealing with information security. Given our dependence on such information, businesses are attributing a value to the information they possess – one that is however often underestimated until that same information is compromised or suddenly unavailable.
It is not uncommon for us to incorrectly assume privacy and security by default. In addition we tend to react to incidents after they happen and wrongly assume that if nothing happened in the past, then the information we have come to rely on should not be subject to any risks. Identifying the risks that we are prepared to take on is often secondary to taking on new business as business people often see information security investments as an extra cost that gives the business no return.
These thoughts could not be further from how we ought to be thinking and as a result we embark on ad hoc spending, with little or no understanding of why we should be concerned about the security of the information that we hold. Problems only become apparent when such costs begin to mount up.
That said there are a few key drivers that get businesses to think in a secure manner – most of which descend as a force majeure. For instance, compliance mandates that ecommerce businesses adhere to strict rules in order to transact on the Internet. Regulations laid down by national regulatory authorities (NRAs) such as MFSA and LGA require operators to have in place continuity plans with appropriate controls on how information is being protected. On other occasions we observe that security incidents that brought around some form of downtime often bring costs (in the form of losses) into perspective, thereby triggering what ought to be a positive mindset towards the protection of information.
Time to be concerned?
On a personal basis, the manner in which we protect the information we hold and exchange is largely subjective based on our past (negative) experiences and overall perception of information security. We find that this is also true within organisations wherein the probability of threats actually taking effect, and the resultant impact are often misunderstood or underestimated. Organisations thus fail to make a correct assertion of the financial and reputation risks they are exposed to. Without a good understanding of these risks, it is impossible to adequately introduce security controls to prevent issues such as data loss and fraud. Moreover, the alignment of information security with the business objectives becomes an ever increasing challenge.
Consequently, we see that managing information security becomes a matter of crisis management and this alone calls for businesses to be concerned. The aim and name of the game is to be proactive rather than reactive.
Managing it all
As much as it may be daunting (and probably impossible) to think about managing every IT risk, it is indeed possible to pragmatically introduce controls that bring around an acceptable level of resilience.
Firstly, it is imperative that a business has a full understanding of who has what information and for what purpose. In part, this means identifying your core information assets and adopting a ‘privacy by default’ culture with the aim of reducing overall risk.
Secondly, business continuity planning is an imperative to ensure that contingency is in place for a timely recovery following a period of downtime. Beyond traditional disaster recovery plans, such planning would take into consideration the human element and ensure that all critical information assets are recovered in an acceptable timeframe to avoid the loss of business. With this mindset, investments in IT security give business owners the comfort of knowing that their systems are resilient and redundant enough to withstand an acceptable amount of downtime.
Thirdly, with a view to tackle information security holistically, it is equally important to adopt a risk management framework to enable structured and well thought out decisions on whether or not to accept particular risks. Also, an information security strategy would ensure that ad-hoc costs are avoided while allowing the Board to get an idea of the security investment road-map for the year(s) to come.
With an accurate view of your critical assets, a three pronged approach needs to be taken covering the development of IT policies, awareness training and the implementation of controls in line with the policies. Complementing this, periodic risk assessments help prioritise and concentrate remediation efforts on those areas that will require immediate attention.
It is also crucial for the Board to obtain top management buy-in by involving management and establishing effective communication channels with them at the various stages of the decision making process. Experience has shown us that once an organisation adopts such a communications policy, management does respond in the company’s best interests.
As part of the overall risk management process, being aware of your legal obligations is imperative to understanding the ramifications of non-compliance.
The way forward
The challenges to a holistic approach to information security are continually amplified with the ever changing technology landscape.
The reality is that businesses are faced with new advanced persistent threats (APTs) and new technology concepts such as information in the cloud, BYOD and virtualisation.
As mobility and the need to have information on demand continues to take over traditional desktop based information systems, we also face new legal frameworks that attempt to address the legal aspect of information security by laying down the rules of engagement and the boundaries within which we operate.
Adopting a risk management framework puts IT risks into the business perspective and reduces an organisation’s overall liability – however the biggest hurdle to overcome is changing the organisation’s culture. As security is gradually brought in line with the business objectives, security becomes an enabler. One such example is the introduction of two-factor authentication tokens for Internet banking. The aim should be to achieve a state wherein security and usability are perfectly complemented.
Security is often not about one particular incident that brings an organisation down, but about a series of small incidents that go unnoticed for prolonged periods of time. Therefore essential to business continuity and rapid response to any crisis, is the ability for an organisation to recognise when such issues are building up and nip them in the bud. In doing so, security becomes a process rather than a goal.
Donald Tabone works with KPMG as an Associate Director within the IT Advisory section of the firm. He is a Security Specialist with a vested interest in ICT Law and Computer Forensics. He has held for over sixteen years various managerial and hands-on positions. Donald holds an Honours degree in Computing and Information Systems and a Masters in IT & Telecommunications Law from the University of Strathclyde as well as several other security and computer forensics related certifications.