Information Security

Information is a valuable business asset that needs protecting. The confidentiality, availability and integrity of information assets and intellectual property is vital for long-term success. Regulatory compliance has an increasingly important role to play, and effective online/cyber and physical security – collectively referred to as Information Security – is critical to regulatory compliance.

Loss or damage to any piece of information can cost a large amount in terms of money or business reputation. For example, leaking of company strategy, financial status or client information can lead to loss of business and more seriously, could result in legal action.

The success of any business in the intensely competitive business environment relies on the trust of clients. Trustworthiness increases the competitive advantage and enables it to grow. How is trust earned? A critical factor is the ability to protect information against the increasing number of threats. Procurement managers view this as important when awarding contracts to SMEs, and the majority would stop using an SME if security was compromised.

Getting past the jargon

On an almost daily basis, there are stories about cyber attacks, social engineering attacks, cyber security etc. For the majority of businesses, this is difficult to understand and there is no obvious link to the bottom line. Here is a summary in terms that should make sense to all businesses.

Theft; getting access to details of your business and your clients in order to sell them. A cyber attack does this by getting access to your network and/or computers. Cyber security is protecting against this type of unauthorized access. A social engineering attack tricks people into breaking normal security procedures and passing on details. There is also the old-fashioned break in to get hold of information (which could be on paper) or stealing mobiles and laptops. Theft can result in the loss of intellectual property rights, costs to replace equipment and legal actions from clients.

Ransom; encrypting your data and then asking for money before handing over the key to unlock it. If the ransom is paid, there is no guarantee that a key will be provided, or that it will work, and that data will not be encrypted again in the future.

Extortion; getting access to details of your business and your clients and threatening to pass them on unless money is paid. An example of this is the Ashley Madison website. Data was stolen and made available on the internet when money was not paid.

Vandalism; getting access to your social media accounts and websites to deface them. This may also be in the form of a Distributed Denial of Service (DDoS) attack that stops access to your website or network. There is an impact on reputation. There could also be a financial loss if contracted work cannot be delivered on time.

Utility failure (Gas, Electric, Water); Business Continuity is an aspect of Information Security. If there is a failure, or buildings need to be evacuated for any reason, how quickly can key functions be working again?

Common misconceptions

  1. Only companies that take payments online are at risk of cyber crime. All companies are at risk. Hacking of payment processing software is an obvious tactic, but criminals are highly opportunistic and can benefit from stealing a wide range of data from businesses using cyber and social engineering attacks.
  2. Smaller companies aren’t a target for criminals. Small businesses are a bigger target because they typically hold far more data than the average consumer, but often don’t have any additional preventative measures in place to protect themselves.
  3. Smaller companies don’t need to take any action about Information Security as this is covered by their trade certification or through their outsourced IT provider. Although certification for many trades considers information security, they generally don’t respond quickly to evolving threats. IT providers protect against cyber attacks but may not cover defences against other types of attacks.
  4. Security can be determined by looking at internal controls. A business is part of a supply chain, if suppliers have information security issues, you may end up problems. For example, if their IT systems were compromised they could send emails with malware that end up on your computers as it comes from a trusted source. Information Security is like Health “it’s not just how healthy you are but everyone you shake hands with”.

Lack of understanding leaves many SMEs vulnerable to losing valuable information data and suffering the knock-on effects, including losing clients and a damaged reputation. A UK Government survey found that the average cost of a serious security breach is between £65,000 and £115,00 and can result in a business being put out of action for up to ten days.

Impact of a Security Incident

Improving Information Security

If you want to know about the effectiveness of your existing information security measures we can perform an Information and Cyber Security Healthcheck.

Large organisations have a Chief Information Security Officer (CISO) to deliver their Information Security strategy. Smaller organisations do not have the need for a full-time CISO, but still need the expertise to deliver an information security strategy that ensures sustained business success and continuity. Using our Virtual Information Security Officer (VISO) service is a cost-effective way to have an information security professional deliver the information security strategy alongside your team.

For more details about Information Security see our pages with details on certification options and issues for Communication and Digital agencies, HR and Recruitment, the Legal sector, Marketing and PR and SMEs.

To get more information on how we can help your business, please contact us.