This week we have a guest blog post from Acrede Quality Manager, Alex Richardson.
Information security is the practice of defending information (data) from unauthorised use – including access, disclosure, disruption, modification, inspection, recording, loss, destruction and misuse. It is, in general terms, both ‘data protection’ – regardless of the form the data may take (e.g. electronic or physical) – and ‘software/application protection’. For the purpose of this article the term ‘data’ is all-encompassing.
When I started in what was then called computing, information security was very straightforward, and was served by simple measures like the locking of computer rooms and offices, the shredding of paper and mag tapes, and the smashing up of old disk drives. There was no way of accessing electronic data except via the computer room itself, so emphasis was put on the input and output media. Technology may have changed since then, but the tenets of data protection remain constant; the 1998 Data Protection Act has the same basic purpose as its 1984 predecessor.
Some of the simple breaches I have seen include:
- Confidential papers left where other can find them – including in meeting rooms, on fax machines, in a hotel bar, on a bus, in a bin, and on a desk for cleaners/others to see.
- Personal details posted to the wrong person.
- Disclosures made over the phone.
- Emails sent to all clients using the ‘To’ field rather than the ‘BCC’ field.
- Computers being dumped without their hard drives removed or fully wiped.
- Unencrypted USB memory sticks being lost.
- A laptop containing confidential data, but with no password protection or encryption, left on a train.
- Data held despite its known inaccuracy, retained well past its needed/useful date, or used for unrelated purposes.
- Unsecured networks and servers/PCs.
- Clicking on email links/attachments from an unknown and untrusted sender and downloading either a virus or trapdoor intrusion.
I suspect others will have seen similar security breaches caused by a lack of information security/data protection awareness. Nowadays it’s not just these sorts of breaches we need to protect against either; we also need to protect data against cyber criminals, phishers, hackers and intruders of all sorts.
Some of the defences we now need to deploy include encryption, firewalls, antivirus, spyware, password protection, secure logins, user authentication, operating system and software patching/updating, and secure transmissions. A lot of these can be made easier by a system designed with built-in security as one of its must-have objectives. The alternative – though harder and often less secure – approach is to bolt security around an existing system.
The International Standards Organization (ISO) released ISO 27001:2013 (Information technology— Security techniques — Information security management systems — Requirements) in September 2013. ISO 27001:2013 provides a much-needed update to ISO’s previous information security management standard, ISO 27001:2005
ISO 27001 is an all-encompassing set of information security and data protection best practices that you need to follow in significant detail to obtain certification. Obtaining certification does not allow you to rest on your laurels, however: the Standard requires continual reviews, risk assessments, improvement and continuity, making it far more than just a badge of merit a company can earn, but a trustworthy testament to the company’s commitment to information security and protection.
Last year the Information Commissioner’s Office (ICO) – the Data Protection Act’s enforcers – published an article about some of the past year’s breaches and the fines that it imposed. It makes for some interesting reading, not least because not long after its publication it transpired that the ICO had itself been breached. The phrase ‘physician, heal thyself’ comes to mind – or should that be ‘enforcer, fine thyself’?
Bearing in mind how easy it appears to be to break the Data Protection Act or suffer a data breach, and considering the effect a breach can have on any company or individual affected, I am sure you will agree that information security/data protection should be a key objective of all companies and that it should be the responsibility of all people – not just the IT domain.
In 2009, President Obama said that ‘cyber threat is one of the most serious economic and national security challenges we face’. Cyber threats have since increased in volume and severity and, with an increase in Internet activity and the use of mobile devices and Cloud Computing, the opportunities for cyber crime have increased at an unprecedented rate.
I predict that President Obama’s statement will hold true for the long-term future. To me, security awareness and data protection are essential and need to become a way of life for everyone. From a company point of view, along with all the physical and technical protections, all members of staff should undergo data protection and security awareness training.
We must all continue to be vigilant, spread the word and stay up to date with our awareness, protection and security. This needs to become a way of life for generations to come.
Views and opinions expressed are that of the author and may not represent IT Governance.
To learn more about ISO 27001 and how it can help your organisation better protect its data, download IT Governance’s free ISO 27001 green papers.