Opinion: Memo to business: information security is not just IT’s problem
Data leakage has become a significant security risk to Australian businesses. A recent global research study conducted by the Ponemon Institute on data leakage found each security incident in Australian organisations cost an average US$2.8 million and that Australian organisations spend the second most worldwide (US$1.2 million each on average) on investigating and assessing data breaches.
Most Australian businesses are interested in protecting their information. But there is an entrenched belief in many organisations that information security is a technical issue and that the primary threat comes from external malicious hackers. Instead, research has shown that the culture and people within an organisation are just as likely to be the source of data leakage.
Whether deliberately, or inadvertently, employees are usually more responsible than hackers for breaches of information. For example, confidential and sensitive information is sometimes shared inadvertently through social media.
Many information security experts will agree that not much is actually done to counter information leakage in organisations. The focus has been on physical, technical and financial security rather than the human factors. There may be a number of reasons for this. One explanation is that many executives believe “information security” is the same as “IT security” and is therefore the responsibility of the IT manager. This belief might explain why the question “Is our information secure?” is often answered with “Yes, we have firewalls”.
Benjamin Dean of Columbia University pointed out that there is a lack of incentives for businesses to invest in cyber security. However, the lack of understanding from businesses about the nature of information flows also plays a significant role.
Although firewalls might be appropriate against intrusive hacking, there are many other pathways by which information may leak. Information does not reside only in the digital environment. It also “lives” in hard copy (e.g. paper) and in the heads of personnel. In fact, information constantly flows between the personnel, hard copy and soft copy (digital space) “repositories”. While not all information is sensitive and needs special protection, businesses need to monitor the changing environment to determine when specific information may become sensitive, and implement appropriate protective measures.
A holistic information security strategy has to consider security measures to control or influence access to storage locations, the flow of information, and the behaviour of information owners and users – the employees.
A key strategy is to treat sensitive information as an asset and map out where it is stored. It is important to remember there are many different repositories within the business.
Technical controls are often the focus of cyber security strategies and the responsibility of IT managers. Such technical controls can help mitigate the risks associated with digital storage. However, identifying who has access to information within the business is also important.
A common technique to protect information is to compartmentalise sensitive organisational processes and information. This means that only employees who “need to know” have access to the information. This reduces the needless circulation of sensitive information and reduces the risk of leakage. Similarly, compartmentalisation can be applied to paper by enforcing a “need to print” policy at printers and marking printed copies with the names of the information owners to allow accountability when leaked or stray copies are found.
Controlling information flow
The handling of information can be captured by mapping information flows within the business. These maps can then be used to identify potential angles of attack.
Information flows are usually closely related to work flow, responsibilities and relationships within businesses. Therefore holistic information security strategies need to be integrated into broader business strategy and operations. Businesses that look at information security from such a perspective are more likely to understand that vulnerabilities might occur during normal business operations, and are not just confined to targeted malicious attacks.
Addressing employee behaviour
Finally, strategies that focus on employees’ security education, training and awareness, as well as, behavioural change are just as important. The key is to increase employees’ understanding that the way they interact with other people, computing systems and hard copy can enhance or diminish the effectiveness of a security program. Sustained periodic training and reminders also serve to reinforce policies and procedures in the minds of employees. It becomes clear then, that cyber security is not just the responsibility of the IT division of the business.
The introduction of digital systems has fundamentally changed the way organisations function, but has unfortunately led to a pre-occupation with technical controls and standards, to the exclusion of other complementary and equally important information security strategies.
Many Australian businesses have misunderstood or are reluctant to grapple with the complexity of the socio-technical problem and tend to focus on IT security only. It’s time for businesses to change that view in light of ever increasing data leakage costs.