“We have gone on holiday by mistake!”
Withnail & I
Information security is very much misunderstood out in the business world and pretty much any of the other virtual worlds you care to mention. It means different things to different people:
- To financial companies it is commonly viewed as a “required to have, because we are told we have to” they do what they need to do because they are forced to by a governing body (FSA, Card brands, etc). They do the minimum they need to do in order to tick the boxes, no more, no less.
- To large / medium retail companies information security is something they have to do because they are told they have to by the banks, they don’t like it because it eats substantially into their profits but they do the minimum they need to, in order to tick the boxes.
- To cloud companies it’s viewed as “not their problem because it’s not their data, thus not their responsibility” so they only do the minimum required to assist in their sales process, commonly ISO27001 as it’s the easiest to attain.
- To technological companies its firewalls and antivirus, after all they will “never get hacked” as they “are not a target” thus they do the minimum required in their minds to provide security at the smallest cost possible, ticking only the boxes they need to.
Looking at the examples above carefully you begin to see a pattern, nobody really knows what information security is, nobody really wants to do it as they think it costs too much and if they do have to do it, they will do the minimum required in order to tick whatever box they need to. This leads me to ask a question.
“What is the minimum?”
Funnily enough, every organisation that I have spoken to in the examples above, cannot answer that simple question. Sure some of them will mention compliance (especially PCI DSS) but on the whole there has been no good answer and it is quite interesting.
Analysing further and digging deeper the question becomes something different, it becomes:
“What is the minimum that we HAVE to do?”
So what is it you have to do? Is it securing card data? Changing your contracts to absolve you from any security responsibilities for the services you provide as an outsourcer? What in your mind is the minimum that you have to do to secure your operations?
Analysing even deeper the question becomes:
“What is the minimum that we have to do and what can happen if we don’t?”
What are the consequences of you not becoming secure? What fines do you face? What bad publicity do you risk (let’s face it the British media LOVES to see someone fall from grace and reports heavily on it)?
When you yet again analyse that question it changes again to:
“What are our responsibilities?”
Now that is a good question and is the root question when it comes to looking at information security in your own organisation. What are you as an organisation obliged as a business to do to protect:
- Your Owner / shareholders / stakeholders
- Your reputation / brand
- Your Revenue streams / assets
- Your clients
These ultimately are the things that you are responsible for within your organisation, all of you from the IT guy on helpdesk, the sales people selling you product and the directors and shareholders that run the business itself. Information security is a company-wide concern on all levels and one in this current market that cannot be ignored, companies are falling at the first security hurdle left and right, security breaches are causing more lost and stolen revenue in the western world than any other criminal activity and it’s getting worse.
Can your business afford a security incident? Think long and carefully about the answer to that question…
If you need help with the answers, don’t forget we are only a phone call away. T +44 (0)1622 873242