Some people think all the fuss about information security is just hype created by the IT industry.  However, the risks are very real and increasingly well-reported.
At best, poor security wastes time and resources – time to deal with spam email, the cost of disinfecting virus-infected systems etc.
At worst, poor information security threatens the future of the organisation - unauthorised disclosure of confidential information, identity theft, damage to reputation, catastrophic loss/corruption of company data.

A recent survey identified smaller businesses as particularly at risk, as they often lack the expertise required to develop effective security policies and dedicate too few resources to developing adequate protection.

Hackers used to be ‘techies' who hacked systems for the challenge. However, organised criminals now recognise information security attacks as highly lucrative. They have considerable resources – both money and talent – and steal information such as credit card details for subsequent sale.

Some companies believe they are too small to warrant the attentions of the cyber criminal fraternity.  However, these larger targets usually have the resources to implement effective defences, deterring attackers. Furthermore, attacks are increasingly automated. Instead of targeting a specific organisation, internet-connected systems are attacked at random to identify vulnerabilities. Even if these systems do not hold useful information, they can be compromised and used to house illegal content or become part of organised networks attacking other systems.

Anti-virus software is certainly a key component of effective information security, but it does little to prevent other forms of attack. Hackers can gain unauthorised access to systems via the internet, spyware can be installed to monitor what users do on-line, software can be installed to allow systems to be remotely controlled.  An effective information security policy must deal with all types of attack.

Evidence shows that many attacks originate from inside organisations. These may be deliberate (disgruntled employees stealing confidential data such as customer databases) but are often accidental (unintentional circulation of libellous information).

Organisations are becoming increasingly concerned about what their staff do on-line – downloading unacceptable or even illegal content, watching videos on video sharing sites such as Youtube, emailing friends with jokes, videos, etc. Directors should realise they can be held accountable for data stored on company systems.

Many organisations see information security as an unnecessary expenditure.  However, the key is to make any investment count by addressing the most important areas. One of the most effective ways to achieve this is through a risk assessment:

The basic aim of an information security policy is to deter casual attacks – the equivalent of locking doors and windows. 

A layered approach offers the best protection:

The key point is that information security is an important consideration for modern businesses and cannot simply be ignored.  However, achieving an acceptable level of protection is not that hard, can be relatively inexpensive and with appropriate advice, should be within the capabilities of anyone savvy enough to run or manage a business.

About the author
Andrew Parsonage is Principal Consultant at Mican Limited, an IT consultancy that can help you to develop an effective information security strategy, to implement adequate safeguards and subsequently manage your systems to ensure they are updated and continue to protect your most vital asset – your data. Visit www.mican.co.uk or telephone 01948 830069.

 

www.fpb.org