CH
Securing data is a critical business issue. Cyber-attacks are on the rise: PWC’s 2015 Information Security Breaches Survey (http://www.pwc.co.uk/services/audit-assurance/insights/2015-information-security-breaches-survey.html) states that almost 9 in 10 large companies have suffered some kind of security breach. According to the report, it’s not just the number of breaches on the rise; these attacks doubled in both scale and cost in 2015.
But when we think about data, what do we mean? The most stringent security measures may be in place for customer data, but what about highly confidential corporate information? All too often, corporate data – such as confidential information on a company’s M&A strategy, or financial health, for example – is excluded from data security measures, because it is handled directly by the board. But this could mean an organisation losing control of some of its most sensitive data, that, if leaked, could not just damage the company’s reputation, but affect share price (in the case of a public company), and profits (according to PWC, a security breach costs on average between £1.46m and £3.14 m for a large organisation, and between £75k and £311k for a small business).
There are three broad areas that all businesses should consider when approaching the security of corporate data.
1. Board level buy in
Security is the responsibility of the board. The UK Government’s ongoing national cyber security strategy highlighted the importance of improving cyber awareness and risk management among businesses, and identified security as a board level responsibility. It should also lead by example - if the board doesn’t take security seriously, who will? The board operates in an increasingly tough environment of regulation and compliance, and handles critical business information on a daily basis. And yet its own role in securing that information is often overlooked. Is there a security expert on the board? Does the board promote a culture of information security? Do all board members practice good information security themselves, or do they still rely on paper information and unsecured email?
2. The physical and technical sides of data security
Build or buy? This is the first question the organisation should address when deciding on a secure solution to manage, store and access confidential data. The advantages of buying a specialist solution are well-documented: you have access to the best security expertise, and regularly updated and tested security technology and datacentres, without the cost, time and management of keeping that level of expertise in-house.
Who can support the team in the event of a breach? Do you have the ability to provide 24/7 support if a password is lost out of office hours, or an unsecured laptop is stolen containing confidential information, or a board member needs help accessing data in another time zone?
Where is the data housed? Digitally stored data still resides somewhere, and that location must be secured. Whether in off-site datacentres, or in the server room, servers need to be protected by CCTV, access control, and physical security. There should be a back-up power supply, like a generator, so that the data is always accessible even in the event of a power failure.
Your data should be accessed digitally, and it must be password protected, and encrypted both in transit and at rest. Encryption methods vary, but the data should be using minimum 128-bit TLS encryption when being uploaded or downloaded and using 256-bit encryption when it’s being stored on devices or servers.
Redundancies must be built into the system, allowing work to continue in the event that one site is compromised, whether by a security breach or a natural disaster such as a flood. Data should be backed up to a secondary system, located off-site (and with the same physical security measures as your primary servers).
3. The human side of data security
Human error is arguably the biggest challenge faced by organisations in mitigating security risks. Who has access to the data? How often are passwords changed? Is there a clear protocol if a password is compromised, or if data falls into the wrong hands? How quickly can you change access rights when someone leaves the company? You should be able to set and amend access rights to critical information centrally.
Can you be certain who has access to your most sensitive information, starting with your board reports? Using a digital board portal – a way of accessing board-level information via a secure application – can mitigate risk by securing information and controlling access, and – importantly – avoiding distributing confidential information on paper.
Training is a key part of any security plan. Employees must be clear about their role in securing the organisation, and know precisely what they can and cannot do. For example, would they be allowed to work on a confidential document while on the train into work? Are they printing out confidential documents and carrying them from meeting to meeting (or worse, leaving them in the back of a taxi)? Data risk isn’t just about hackers and unencrypted USB sticks falling out of pockets, it’s also about the commuter standing behind someone with a laptop on a train.
Review internal security guidelines, training and procedures regularly. People will often use the path of least resistance. Organisations need to encourage a security-focused mind-set by making it simple to be secure, and forcing users to regularly change passwords (and to make them complex).
BYOD is now a fact of office life in many companies. Organisations need to have clear rules to deal with it. Employees may bring in their own laptops, tablets and smartphones, or use them to work from home, but are these devices protected? Do they have the latest operating systems? Do they have official anti-virus and firewall software? Does the employee practice common sense online (such as not clicking on suspicious links)?
These things are all more difficult to track when the device isn’t part of the corporate network. While most threats will be neutralised by a good security system if the employee’s device tries to transfer an infected file, these devices still represent a risk, and organisations need to establish procedures to deal with potential problems.
While there’s no way to completely eliminate the chance of human error, organisations with a strong security system can minimise the risk, by having clear plans in place so that one slip-up won’t cause too much damage.
Information security isn’t just a matter of systems and procedures, it’s about culture. It’s not enough for security guidelines to be detailed in the employee handbook. They must be practiced. The means buy-in from the top of the organisation, and fed down via those who manage employees on a daily basis. Security should be part of business culture.
About the Author
Charlie Horrell is Managing Director for Europe, the Middle East and Africa at Diligent Corporation.
Charlie’s career has focused on driving digital, technology and media businesses. He joined Diligent in January 2012 after five years as CEO of Packet Vision Limited, an advertising services company. Prior to that, he was COO of a €1 billion division of Thomson SA, the French media company, and CEO of IDP SA in Paris, a publicly listed French company.
He also spent seven years with News Corporation, initially at BSkyB and then at Star TV in Hong Kong. During this period, Charlie headed business development and served as general manager of the first foreign media joint venture in China as well as deputy general manager of the Star Network. He has managed €1 billion corporate divisions, successfully formed joint ventures, raised venture capital and facilitated the sale of multiple companies during a career that has spanned the globe.
Charlie began his career as an accountant with Arthur Andersen and holds a degree in Economics.