Keeping business systems safe and protecting your data has never been more difficult to achieve. And it is only likely to become harder. Getting the right risk management strategy in place is critical.
Embracing an appropriate information risk management strategy within your organisation, can, if implemented appropriately, lead to significant advantages, according to John Hetherton, senior consultant at Espion. These include:
• Accurate prioritisation of resources to implement controls, reduce risks and maximise business benefits
• Reducing the likelihood and impacts of a risk to an acceptable level
• Being adequately prepared to manage incidents when they do occur
• Increased oversight of risk from internal and external threat sources.
“These advantages may result in reduced downtime, increased services and profitability levels, which often justify the spend associated with introducing an information risk management program. When establishing objectives for an information risk management program, it is important to ensure that the objectives align with those of the organisation’s strategy and that the risk management program is integrated into the culture of the organisation, as opposed to running autonomously or as an afterthought to an existing process.”
To this end, Hetherton says, before adopting a risk management strategy, it is important to understand the most critical processes within the organisation; what information and systems those processes rely on, and the nature of the internal and external factors that may impact those processes. “Generally, the most important processes within an organisation are those that facilitate revenue generation and regulatory and legal requirements, which, if not met, may result in the cessation of business.
INFLUENCING FACTORS
“The internal and external context of an organisation must also be well understood, generally by means of conducting assessments on internal and external factors that may influence the organisation’s approach to risk.” Factors to be considered include the mission and main activities of the organisation; the cultural, economic, legal and regulatory nature of the operating environment; perceptions and brand; governance and organisational policies; and organisational capabilities to manage security.
There are many frameworks, such as ISO 27005, that can be tailored to account for the nature of the any business, its operating environment and crucially that prioritise protecting critical business processes, and those systems and information that facilitate the critical business processes, he adds.
“For instance, if your organisation is required by service level agreements to maintain availability of 99.9%, prioritisation of resources should be allocated to ensure that multiple redundant network links and hot sites are available that facilitate meeting the contractual requirements.”
TOOLS FOR ALL BUDGETS
As the activities of different organisations vary dramatically, it can often be difficult for an organisation to obtain a holistic view of information risk, Hetherton points out. “To ease the burden of risk management, a number of tools have been developed to suit almost every budget. Costs vary for risk management tools, ranging from hundreds of thousands of pounds for some enterprise-level platforms to hundreds of dollars for basic entry-level risk management platforms. Generally, the cost of risk management tools increase, based on the types and number of information sources that are correlated in order to show the holistic risk view.
“Independent of the tools used, in order for risk management to be effective, the culture of risk management must be adopted across the organisation, with a consistent approach being pushed from the top down.”
TOUGH TASK
Keeping business systems safe and protecting the data that they hold has never been more difficult to achieve, points out global analyst firm Ovum. It is a commitment that continues to be threatened by security attacks ranging from opportunistic hackers using pre-built tools through to targeted, well-resourced, state-sponsored cyber activity.
According to Ovum’s ‘Security 2014 Trends to Watch’ report, attack volumes will continue to rise and no business should consider itself immune; any type of organisation can be targeted. Even the best-protected government, military and business systems have already been breached, and in 2014 they will to be put under further pressure, it warns. Some of the key areas it highlights for those intent on staying secure in 2014 include:
• More proactive protection is needed to address the cyber security time bomb
• Security-as-a-service will be the way forward for a growing number of organisations
• Cloud and mobility will change the way we approach IT security and user protection.
“In 2014, cyber espionage and state-sponsored threats will continue to make headlines, but the concerning underlying trend is that similar technology can and will be used against ordinary businesses,” Andrew Kellett, principal analyst, software – IT solutions and author of the report, warns.
FUNDAMENTAL SHIFT
“Security experts recognise the rise in use of sophisticated malware, and this is driving the need for better and more proactive security…organisations will be required to fundamentally shift their approach to security from a mainly static defensive posture to one of taking positive action before or as an attack takes place.”
In 2014, enterprise organisations will need to gain positive advantages from security intelligence, Big Data analytics, and the ability to understand threat priorities and the actions needed to sustain the well-being of the organisation and its users.
“Not every organisation has the budget or security resources to meet its current protection requirements, let alone the extended use of cloud-based services and the BYOD-driven use of smartphones and tablets by employees,” Kellett acknowledges. “Therefore, organisations will be forced to consider the practicalities of managed, security-as-a-service options.”
Ovum believes the need for better security will be driven by operational demands, including the use of technology that makes business information more readily available and consequently more vulnerable to cyber-attacks. Increasing use of cloud-based services, user mobility and multiple devices is adding complexity to security, particularly identity management requirements.
“Ovum recommends that organisations should look to gain positive advantages from Big Data, security intelligence and analytics-based approaches to security management,” he adds.
“Meanwhile, mainstream security vendors need to provide a range of products and services that genuinely meet the protection needs of both SMEs and large enterprise clients.”
GETTING IT RIGHT
The first rule of designing any worthwhile information risk management programme is to adopt an effective data classification methodology, insists Nick Rafferty, COO, SureCloud. “It may sound obvious, but in practice not many organisations do it. Still fewer do it well. But unless your programme is based on a clear understanding of the value of the information you have stored – and a close knowledge of your regulatory obligations – you can easily end up with a one-size-fits-all approach that treats every supplier the same.
“This is far from sufficient. Inevitably, some third parties will share more confidential information with you than others, thereby presenting different levels of risk to the organisation. In contrast, with the help of proper classification, you can start to identify which partner organisations represent the greatest risk to your information assets.”
When drawing up a checklist, the first task is to determine the information most sensitive to your business. You also need to know which data has to be protected, from a regulatory point of view, and which information is shared with third parties of all types. Partners and suppliers alike should be assessed against this short checklist to establish the type and volume of information they handle on your behalf, he adds. “You need to know what they have of yours that has value and who they are sharing it with.”
CLASSIFICATION OF INFORMATION
Classification of information falls into three broad categories, says Rafferty (although they can be as granular and specific as deemed necessary).
First comes ‘Confidential’, which refers to sensitive information that qualifies for the highest degree of protection. “Confidential information is only available to those with the highest-level access rights. Disclosure can only be sanctioned by the most senior person in charge, which is usually the data or information security manager. Third parties must be in possession of a signed confidentiality agreement before this class of information can be shared.
Then comes ‘Internal’. This concerns aspects of the business not meant for public disclosure, but freely available to all employees. “If leaked, the information would be unlikely to cause serious difficulty, but would still require a confidentiality agreement before sharing with third parties. Company policies and standards, operational procedures are good examples here.”
The third class – ‘Public’ – covers information not governed by special protection measures or rules. “Such information can be made public and would include press releases, marketing literature, company annual reports and so on,” Rafferty states.
HANDLING & PROTECTION
All confidential information stored on the company’s IT systems has to be protected by strict access controls to ensure that it is not improperly disclosed, modified or deleted. “Under these circumstances, employees are prohibited from recording or sharing the information in any way, via any medium,” he adds. “Strict controls also apply to any office, computer room or work area where confidential information is stored. The handling and protection guidelines govern all stages of a digital asset’s lifecycle, from its creation and storage through to its eventual deletion.”
The final set of procedures relate to how information is labelled to ensure it is handled in line with its assigned classification. “They apply equally to physical and electronic assets. Every classification type has prescribed processes covering copying, storage – whether by post, fax, internet or email – and end-of-life,” he concludes.
Not everyone will take this exact route, of course, but the principles are sound and would successfully underpin any strategy that aims to deliver robust information risk management. Whatever the finer detail, having such policies in place, understood and actioned is the bottom line. Failure to do so leaves any organisation open and vulnerable to abuse.
Featuring multiple contributors including expert commentary from Nick Rafferty, COO, SureCloud.