The need to protect our personal information is just as much of a priority as protecting our physical possessions is. Information-system security, also known as 'infosec' refers to the process of protecting an organisation's data, as well as the information it processes about customers, suppliers, and so on. The nature of organisational information means it could be seen as valuable to unauthorised people, such as cyber criminals/hackers. People like this collect information (e.g. email addresses and passwords) and can sell them on for money, or else use them for phishing scams, identity theft, and more.
Not only does information security refer to data stored on our devices such as office computers, but it also means protecting information in other forms such as telephone conversations.
Information Security Threats:
The continuous changes in technology mean that threats to information security change rapidly too. In other words, as technology changes, the style and amount of threats change too.
The rate of security breaches is not only increasing (44 information records are stolen every second!), but the level of sophistication used by hackers is growing too. This not only gives us new forms of security issues to deal with, but challenges us to understand how to deal with the threats efficiently. Steve Durbin from the Information Security Forum (ISF) warned how threats are "personalised to their target's weak spots" and how, nowadays, "the stakes are higher than ever before". His comments stress the severity of system security and how the threats out there are the most dangerous they've ever been.
Emails gave people the ability to connect directly online through an inbox, but they also gave cyber criminals this opportunity too. Currently, 59% of business leaders view emails as the number one threat to cyber security. This is because emails can be sent with malicious links and attachments, which can, once opened, covertly download malware onto the users' computer – thus potentially infecting entire networks.
Phishing scams are another way that criminals can attempt to gain unauthorised access to confidential information through email. By posing as a legitimate source, such as banks or retailers, hackers can create very convincing emails that mimic the look and feel of a real request for information. Remember, it only takes one recipient in thousands to fall for the scam and offer up confidential information, e.g. bank details, for cyber criminals to make money. Thousands of phishing emails can be sent in less than a second, so the pay-offs are huge.
Email security gateways are one way for you to control what gets through to your inbox in the first instance, as they detect and block harmful content from entering the inbox. Gateways alone won't guarantee protection, which is why all security software should be backed-up by good information security awareness training.
Employees are the number one cause of data breaches according to the 2016 Statement of Cybersecurity, stressing how the threat to information security can just as easily come from within. An employee with a lack of understanding or training in security awareness can actually be a security risk without even realising it. A noteworthy example is eBay in 2014. The global online auction was hacked and resulted in the data of 145 million users' personal data being compromised, all due to the actions of three eBay employees.
Creating an environment where employees are regularly trained, updated, and included in infosec discussions means that attitudes will change as understanding does too, leaving people proactive in wanting to protect the organisation they're a part of.
The global obsession with social media is something that doesn't seem in danger of slowing down. This is reflected in the fact that the average person spends 2 hours a day on the platforms, investing a lot of time (and consequently a lot of information) into the sites. The risk with social media is that we tend to let our guards down using the platforms, which causes us to share a lot more information with a lot more people and external applications than we realise. It's for this exact reason that hackers see social media as a good place to find a new victim.
The privacy settings on social media platforms allow users to control who sees the information they put out there. So if you use social media, you should regularly check your settings so you are sure what you are sharing and with whom.
Social media finds its way into the workplace too, so by making staff aware of their social media settings through training, you can reduce the risk to your networks from cyber criminals. If employees are authorised to use work equipment/network devices to check their social media profiles during break times or for work purposes, it's important to implement social media awareness training and to have a good social media policy in place.
Why is Information Security so Important?
Information security ought to be a priority for all organisations because the consequences can be catastrophic if you suffer a data breach. Breaches can cause considerable damage to both the finances (through penalty fines) and reputation (through media reports) of a company, two factors that could determine the longevity and profitability of your business. As well as this, the threat of heavy penalties from the GDPR as a result of non-compliance in information security is something no organisation can afford to ignore.
It can be a misconception that SMEs are more vulnerable to information security breaches and hacking due to having smaller budgets to use for protection. However, even business heavyweights, such as eBay and Uber, have fallen victim breaches in the past. Hackers aren't picky with who they target as long as a profit is on the horizon!
With the dubious honour of having the biggest information breach ever recorded in history, Yahoo lost control of up to 3 billion user accounts in 2014, costing them a whopping $35 million (around £26m). Details such as names, addresses, emails, and telephone numbers were compromised due to Russian agents hacking into the system to gain user details. Since the attack, Yahoo dropped in value, something that Verizon took advantage of by buying them for a knock-off price. The company's sale means that their name will slowly fade to leave behind nothing but the memory of a terrible data breach.
Preventing Information Breaches
Risk assessments must be carried out to determine what information may be at the biggest risk. For instance, one system may hold the most confidential information and as a result it needs the highest levels of protection to maintain a secure system. Having an information system security professional audit the business regularly is a good way to mitigate the risk of an information security breach. By planning ahead and reducing the likelihood that something could go wrong.
By training staff to be vigilant in cyber security, and implementing a compliance culture, you are protecting your organisation from future attacks. Educating employees in topics such as hidden dangers within emails, safe use of social media, password policies, and software updates means that the training will produce a workforce that has the knowledge to be able to spot threats when they appear and respond effectively. An example of this could be recognising the different types of malware out there such as trojan horses and spyware and knowing what damage they can cause if they get into the system. By having a greater understanding of what they're looking out for, it can resolve an issue before it can have an impact on the whole company to reduce the chances of information breaches happening in the first place.