Will 2013 be the Year Businesses Take Information Security Seriously?
Following scares in 2012, will businesses start wising up to information security
Yet again, 2012 was another year of security stories after the advent of ‘hactivism’ in 2011. Whilst computer viruses are still prevalent, with 2012 seeing the biggest infections to Apple Macs and phones operating Google Android, information security disasters have moved from mere industry website write-ups to the front pages of the broadsheets. As a result, today even technophobes are familiar with hacker groups such as Anonymous and LulzSec who famously targeted the likes of PayPal, Sony and MasterCard. Here in the UK, details from the Census were hacked and Travelodge was embarrassed after customer emails were obtained after their website fell victim to unauthorised access.
With the dawn of super-fast, fibre optic broadband and with the ‘cloud’ era meaning information is conveniently available in one place, 77 million usernames and 2.2 million credit cards (what was taken in the Sony PlayStation network hack) can be now considered the norm.
The question on many small business owner’s lips has rightly been, if companies like this can be hacked, how secure is my website and sensitive information? Likewise, customers are concerned about their personal details being secure, particularly now since companies are moving to outsourced cloud computing to store information in a hosted environment. There may be claims of ‘security’, ‘backups’ and ‘fail-safes’ but who is in control of this information and who watches over them?
The reality of the world today is that even small businesses need to think beyond locks and keys as a method of business security. Electronic data is now the major vulnerability to businesses, with a simple password being all it takes to gain access to a wealth of important, confidential and expensive information. A breach robs time, money and can result in long-lasting reputational damage. With the economic climate already tough, information security is something businesses can ill-afford to ignore.
Enforcing best practice
Whilst information security is important, that is not to say traditional security risks should be ignored.
A startlingly figure is that 20% of all recorded crime affects SMEs, with the Federation of Small Businesses (FSB) claiming the cost of crime against its members has soared to an average £13,500 per firm. Therefore, it is important to have policies and checks in place to ensure:
- Secure Equipment
Office equipment can be expensive, especially considering the data stored. Consequently, consider securing more expensive equipment to floors or walls. Also log serial numbers during regular equipment audits to make sure it is all still there. A range of alarms and locks are available for IT equipment.
- Hiring Policy
Having secure equipment is all very well, but it’s useless if you have someone untrustworthy working with you. When hiring, it’s important to verify previous employment history and check references. Key and security code holders should be trusted individuals. If the worst is to happen, instances of theft should be met with decisive action where you should be prepared to fully support prosecution. Keep a close eye on till money and petty cash, as both are particularly vulnerable to employee theft.
- Shred Files
Archived files should either be shredded or be placed in lockable filing cabinets. Not sure what is appropriate security? Then creating a Security Policy may be useful. It allocates responsibility, ensuring the whole workforce is aware of the correct process.
- Intellectual Property
An Intellectual Property Office IP Crime Group survey showed that many businesses are not doing anything to ensure they protect their intellectual property. 40% of businesses surveyed took no practical action such as trade mark registration, despite it being something you can do easily online. When it came to the intellectual property of others, the survey found it increasingly common to find activities such the open selling of counterfeit DVDs or downloading of illegal content whilst at work.
Demonstrating Information Security
It’s all very well say you look after your clients and your own data, but harder to prove it. This isn’t just an SME issue, even the likes of Google have sought external recognition of their information security efforts. In their case, and for many others, the answer was the ISO 27001 standard. The standard applies to an organisation who wishes to assess their information security risks and implement ways of addressing them, thereby providing assurance that their processes and controls are secure. It also helps to develop and enhance best practice.
Internationally recognised, ISO 27001 sets out the requirements for creating an Information Security Management System, something which would be familiar to those who have implemented the likes of the ISO 9001 quality standard. In fact, all of ISO’s management standards are designed to work seamlessly together.
The beauty of the standard is that it is designed to be generic, and therefore applicable to businesses of any size or sector. It isn’t every day a sole trader can claim the same credentials as the likes of Google and Microsoft, but ISO 27001 provides that opportunity. For the very same reason, ISO 27001 is also increasingly favoured within tenders; it means buyers do not have to carry out lengthy, expensive checks on suppliers, they simply ask for evidence of certification to ISO 27001.
Third Party Assurance
Whilst anyone can implement ISO 27001 by simply following the requirements of the standard, achieving third-party certification is the demonstration to clients that your claims have been independently verified. After approaching an ISO 27001 certification body, it is essentially a three-stage process to achieve certification.
The first stage is an informal look at what existing processes and policies you already have in place. The certification body’s auditor will be able to identify any ‘gaps’ so you can then correct them ready for the formal audit to achieve certification.
The stage two audit is where your auditor will seek evidence to confirm that the management system has been properly designed and implemented. If you have done so, you can then be recommended for certification.
Once you have achieved certification, it is a case of having review audits to ensure your organisation is continuing to meet the requirements of ISO 27001. Normally held annually, they can be more frequent if you feel it would be more beneficial.