How do You Avoid Information Security Breaches?

|
|
PUBLISHED on
27 Jul
2022

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can we avoid hitting the headlines for all the wrong reasons.  Let’s look at where we can start.  

Avoiding security breaches is not the responsibility of a single individual, irrespective of technical ability, knowledge or title. It is a collective responsibility, where each and every employee within an organisation is accountable to some degree for protecting information and avoiding a security breach. In simple terms, each employee should be asking themselves three questions:

  • What are we protecting?
  • From whom are we protecting it?
  • How are we going to protect it?

If you’re one of those employees who don’t know or are unclear about the answers, then the first port of call for internal advice and guidance should be your line manager.  If you’re the line manager and are not certain, then seek out your information security manager or, if that role doesn’t exist, the individual who has responsibility for information security.

What are we protecting?

Whilst the answer to the ‘What are we protecting?’ question would appear to be blindingly obvious, it is surprising how often the answer is unclear.  And if you don’t know what information you are managing/responsible for, how can you identify how to protect it?  Having a clear understanding of the information the organisation has is essential to identifying the measures needed to protect it.

Employees throughout an organisation will deal with a variety of information types, often with differing access control requirements.  However, it’s essential that all employees are clear on what that information is and how it should be managed and handled.  Information security professionals refer to this as an asset list and generally, ‘information classification and handling’.

From whom are we protecting our information?

So, once we know what we are protecting, we can look at who or what we are trying to protect against.  These are known as the threat vectors.  The threat vectors can be distinguished as internal or external and divided into human and technical.  These categories can have many different subcategories and typically depend on the geographical, political, economic situation in which the organisation is operating.  Whatever or whoever they are, it is important to identify them and to be realistic.

How are we going to protect it?

Having established the ‘what’ and ‘who’, we now turn to ‘how’.  Alas, there is no silver bullet or simple answer.  The first step is to ensure there is (or to introduce) a structure within the organisation and achieve a transparent and holistic approach to information security management.  The structure will define roles and responsibilities and will identify the means by which we will protect the information.

There are different information security frameworks that can support this; the International Organisation for Standardisation (ISO), the National Institute for Standards and Technology (NIST) and Control Objectives for Information and Related Technology (COBIT), to name but a few.  An information security risk assessment will identify where time, effort and investment are needed.  The most important point, however, is to encourage everyone (irrespective of their role) to take responsibility for information security and make them aware that all employees have a part to play.  Equally important is to ensure an open culture.  A reported near-miss could ensure the next security breach is avoided!

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
14/2/2024
A Comparison of ISO 9001 and ISO 27001

URM’s blog compares the management system clauses of ISO 27001 and ISO 9001 to identify integration opportunities.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
29/2/2024
The Timeline for Transitioning to ISO 27001:2022

Blog, produced in collaboration with BSI, discusses the timeline for transition to ISO 27001:2022 and what you can expect from your transition assessment.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
22/7/2022
What are the Most Common Insider Threats to Information Security?

Broadly speaking, information security is held up by three pillars – People, Process and Technology. It is widely accepted that humans are the weakest link

Read more
Great presentation, thanks. I enjoyed the interaction between lead speaker and support person.
Webinar 'Planning Your ISO 27001 Audit Programme'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.