Tips from URM – Security breaches – how do we protect ourselves?

Security breach - how do we protect ourselves?, URM, cyber security, security, information security , breach, control, infosec, infosecurity, protection, pentest, iso 27001
In recent weeks the news has, once again, been peppered with high-profile information security breaches.
Many of us find ourselves asking, how do we avoid hitting the headlines for wrong reasons?  This week’s
top tip looks at where to start. Avoiding security breaches is not the responsibility of a single individual,
irrespective or technical ability, knowledge or title.


It is a collective responsibility where each and every employee within an organisation is accountable to
some degree for protecting information and avoiding a security breach. In simple terms, each employee
should be asking themselves three questions:


  • What are we protecting?

  • From whom are we protecting it?

  • How are we going to protect it?


If you’re one of those employees who don’t know or are unclear about the answers, then the first port of call for internal advice
and guidance should be your line manager. If you’re the line manager and are not certain then seek out your information security
manager or, if that role doesn’t exist, the individual who has responsibility for information security.


What are we protecting?

Whilst the answer to the ‘What are we protecting?’ the question would seem to be blindingly obvious, it is surprising how often when
the question ‘What are we protecting’ is asked, that the answer is unclear.  And, if you don’t know what information you are manging/
responsible for how can you identify how to protect it?  Having a clear understanding of the information the organisation has is essential
to identifying the measures needed to protect it.


Employees throughout the organisation will deal with a variety of information types,  often with differing access control requirements.
However, it’s essential that all employees are clear on what that information is and how it should be managed and handled……
Information security professionals refer to this as an asset list and generally, information classification and handling.


From whom are we protecting our information?

So now we know what we are protecting, we can look at who or what we are trying to protect against. These are known as the threat vectors.
The threat vectors can be distinguished as internal or external and divided into human and technical. These categories can have many different
subcategories and typically depend on the geographical, political, economic situation in which the organisation is operating. Whatever or
whoever they are, it is important to identify them and to be realistic.


How are we going to protect it?

Having established the ‘what’ and ‘whom’ we turn to ‘how’. And, alas there is no silver bullet or simple answer. The first step is to ensure there
is (or to introduce) structure into the organisation and achieve a transparent and holistic approach to information security management.  The
structure will define roles and responsibilities and to identify means to protect the information. There are different information security
frameworks that can support this, ISO, NIST, COBIT to name a few.  An information security risk assessment will identify where time, effort
and investment is needed.  But, the most important point is to encourage responsibility whatever anyone’s role is and to ensure that all employees
are aware that everyone has a part to play.  Equally important is to ensure an open culture. A reported near-miss could ensure the next security
breach is avoided!


If you would like to explore how URM’s consultancy and training services can benefit your organisation, we offer a ‘no obligation’ discussion with a senior member of our consultancy team.  Please let us know the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001, PCI DSS) so that we can arrange a discussion.