Information Securityby Andy Taylor
Is information security really a problem?
There is a view that the information ‘leaks’ of recent years, not just in the UK but in the USA and other countries around the world, have been over-hyped for the benefit of information security specialists. This is an especially strong view when anti-virus protection is discussed. Many believe the main players in the anti-virus software marketplace are the same people who generate new viruses to scare the population into buying more of their protective products.
This is an ill-founded belief, however, and both the business population and the general public are becoming increasingly aware of the importance of information security.
Availability versus security
Getting the balance right between security and availability can present real problems.
The results that followed after bombs were planted in the car park under the World Trade Centre in the USA in February 1993, highlight why information security and availability is important to all industries and sectors. The bombs did very little damage to the building itself, but the latter remained closed for some weeks while detailed structural assessments were made to ensure it was safe for use.
Of the companies trading in the building at the time, more than 50 per cent went into liquidation or otherwise stopped trading as a result of the incident. The main reasons cited for this effect often related to the lack of availability of the information required to trade. Companies lost access to their invoicing or customers’ details and their cash flow slowed or stopped. Had they taken some fairly basic measures to ensure their critical information would remain available in a crisis, the consequences would have been very much less serious for many of those companies.
In light of the above, it might be tempting to go the other extreme and have so many back-ups of information that keeping track of them would become a problem in itself. The degree of protection used has to be commensurate with the risk.
The first requirement is therefore to undertake a proper risk assessment, to make sure that the problems that could happen are clearly understood. It also helps to ensure the final measures put in place to protect the information are appropriate for the risks that have been identified.
What are the risks?
There are a number of fairly typical risks that are likely to affect all organisations. However, there are almost certainly some risks that are very specific to your business: it is critical to understand exactly what risks your business faces and not assume they are the same those of as the ‘company down the road’. Using the STEEPLE mnemonic will help to prompt thoughts about different ways risk can arise, but be aware that this is not a comprehensive list.
These include the reputation of the organisation, an area where many bodies, notably public bodies and charities, but also ordinary businesses, have to be very careful. So you need to ask what might happen that could damage our reputation.
Societal risks also include spying. It’s an evocative word, but many employees have information which would be of use to competitors or others. Spying is often called social engineering since it involves using the relationship with individuals to achieve nefarious ends such as obtaining money or information inappropriately. Limiting access to large databases of information – perhaps clients’ details – might be a sensible precaution for many organisations.
For many organisations in the modern world, this is the area most likely to provide risks. Attacks on computer systems are the most common, most complex and potentially most damaging form of risk.
Environmental (physical) risks
As mentioned elsewhere, the local physical environment of the company’s premises may be a factor. Other organisations in the neighbourhood may well have a detrimental effect if they have a serious fire, flood or other type of problem. The knock-on effects of a fire, explosion or flooding might result in you losing access to your data for a significant period or, indeed, losing it altogether.
Environmental (business) risks
The business environment presents a number of security risks, including those of the use of third party suppliers, trading on the internet or working in sensitive or dangerous activities. All can affect the way in which information must be processed, stored and disposed of and can impose significant additional constraints and expense on the solutions proposed.
Risks associated with the political situation could include attacks from foreign organisations, with many recent attacks originating from countries in the Far East. The World Wide Web makes this all too easy.
These include risks from non-compliance with legislation such as the Data Protection Act, the Misuse of Computers Act, the Regulation of Investigatory Powers Act, the Human Rights Act and various types of employment legislation, all of which apply in the UK. Similar legislation is in place in many other countries. In addition, certain types of organisation are bound by other legislation specific to their business. This might include financial services, where there are specific regulations on the access to certain types of information. There will also be other types of regulation that apply to certain businesses which, although not legally binding, have to be considered as a risk, since professional bodies or regulators may well have authority to fine companies that do not comply with a code of practice. A practice of ‘naming and shaming’ non-compliant companies has also been introduced in some professions and geographical areas.
These risks come from the world of finance and could again appear in many guises. The straightforward risk of losing access to funds through bank details being lost, changed, forged or some other means is perhaps the most obvious. Sending bank account details across the internet in a plain language email, for example, is seen by most as a fairly foolish thing to do as an individual let alone as a business. Asking customers to do the same is liable to lose clients in the short term and, should an unfortunate incident involving clients’ details become known, the long-term effects could be critical.
Is this a technical problem or a business problem?
The computer is now an indispensible business tool. Consequently, questions of security and computers have become interwoven to such an extent that people tend to imagine they only need to worry about computer security. This is a fallacy likely to bite the unwary! Naturally, computer security is very important and it would be very foolish to ignore it. Computers are not, though, the only custodians of important information.
There are still many businesses using paper records and these also need looking after appropriately. Further, the information stored in the heads of key staff members, perhaps those that have been with the company for 20 or 30 years, also needs looking after. Thus it is the whole world of information that must be considered.
The tools used to process, store or access the information are just that: tools. The information itself is the asset that needs proper consideration and protection.
Business impact assessment
It is important to recognise that the whole area of information security is very much a business issue and not just a technical one. It is the business that must decide the impact of the loss of information through a business impact analysis/assessment. It is the business that decides how much money and effort it is willing to put into security.
This is done through conducting a Business Impact Assessment (BIA): having identified the risks, and identified (with or without professional help, according to the risk) what are the options for handling each risk and how much the preferred option(s) will cost, it is for people within the business to choose whether to take action to mitigate/avoid the risk or to do nothing and accept the risk.
Ultimately, every information security professional will tell the business leader it is up to them to decide how much risk they are prepared to accept – this is commonly called the risk appetite. This will determine how much the business spends on looking after its key assets of information. If the business leader feels it is a risk worth taking, then no protection could be the right answer, but this decision must be taken on the basis of a very good analysis, ensuring the leader is well aware of the critical business decision they are taking.
Whether you require outside advice and help or not, the final assessment of risk versus cost, the degree of protection your business requires, is a business decision that must be made within the business and backed by the people at the top, who must make it clear that it is everyone’s responsibility.
Will it cost a lot of money?
The answer to this question is, naturally, that it depends. A balance has to be struck by the business managers between the cost of security measures (which in themselves could be very cheap) versus the cost of any of the risks actually occurring.
Dealing with potential risks can be very cheap. It might, for example, simply be a matter of writing a policy statement that tells staff how to protect information by storing it in an appropriate location, taking routine backups and similar basic requirements. On the other hand, for those organisations with major risks and perhaps with much larger information asset holdings, with greater business impact or with major reputation considerations, the expense of sorting out their information security measures could be expensive. They may need to consider ‘hot back-up’ sites, major investments in alternative accommodation requirements or other significant measures.
Do I need outside help?
It may be helpful to bring in an independent expert to help with the risk identification and analysis part of the work. Those who have done the job before, particularly in a similar line of business or organisation, would be best placed to help identify potential risks. It sometimes takes a technical expert to give a realistic assessment of the risks of sending plain language emails across the internet, for example.
There are also a number of risk books which could suggest types of risk to consider. Many publications, such as the Office of Government Commerce’s Management of Risk book, suggest genetic areas of risk, which might prove a useful starting point. There are others that deal with business specific risks and still more that look at the various types of technical risk, notably in connection with computing. Your first step should be to check the appropriate web sites to gain the best-practice advice freely available from governments and professional organisations.
Whatever you decide, it is essential the assessment of risks and business impact is done by those with the right level of knowledge and understanding of the business. These two pieces of work are the foundations of the remainder of the work – get those wrong and the chances are the rest will be wrong too and, at worst, be a waste of money and effort.