Follow Us:FacebookTwitterLinkedInBlogNewsletterJoin Now

Is Your Organisational Information Secure?

Friday 15 August, 2008
(Author Credits)

IT systems form an integral component of all business processes, and are being attacked in a number of ways with increasing frequency. This requires shorter reaction times to deal with the attack before it impacts on the business. Often an organisation is unaware that an ‘attack' has taken place.

Here are just a few types of threats being mounted against organisations.

  • Viruses - Can be transferred through email attachments and through the exchange of documents. Often with the intent of either damaging the data or flooding the network with so much traffic that it results in a Denial of Service (DOS) attack.

  • Malicious software - Either tracks and transfers data without the user's knowledge or uses keystroke logging to capture passwords and access to business and personal information.

  • Hacking - Particularly where customers or members are invited to register for a ‘private' access area (which may not be made secure and tested to ensure that other clients cannot view their personal data or documents that they shared through the web portal).

  • Social engineering - Where users answer apparently innocent questions either over the phone or outside the building.

  • Unauthorised access to buildings - Those who seek to steal laptops and confidential information simply access the floors by either trailing someone who has a swipe card or by masquerading as janitors or service personnel.

  • Existing employees gaining unauthorised access to systems - Increasing access is provided to the employee as they move throughout the organisation, (referred to as ‘access creep'), or due to poor password or access authorisation processes.

  • Past employees gaining unauthorised access to systems - Particularly when access cards are not collected or disabled upon the employees' departure from the organisation or by accessing applications either through remote access or through physically accessing either the main or a remote building site.

  • Or any of a number of other ways - Rubbish bin trawling to find confidential information, providing free USBs that are implanted with malicious software at seminars (or simply leaving them in the car park to be picked up by an unsuspecting employee), or tapping into insecure wireless networks.

The threats listed are by no means exhaustive; it is merely a list of some of the attacks that can take place against an organisation.

The most important organisational resources that need to be protected from these attacks include:

  • Intellectual property

  • Personal data

  • Credit card data

  • Tax file numbers

A key strategy to reduce the risk of a successful attack and to maintain business continuity, is to implement a cost effective information security risk management program. The following steps will assist you to develop and implement this program:

  1. Executive support and commitment - Without the support of senior management, including the CEO and, where applicable, also at Board level, the potential to implement a successful information security risk management program rapidly decreases. To gain their attention it must provide value to the business, in particular, focussing on risk. This is often undertaken using a simple model of Return on Security Investment (ROSI).

  2. Link to organisational strategies and risks - The approach needs to be expressed in the context of the direction that the organisation is heading. An organisation that is rapidly growing may not understand the impact an information security risk will have on their organisation and the importance of planning to prevent attacks before they occur. The risk environment will also depend on the industry the organisation is in.

  3. Assign clear roles and responsibilities - Key players need to understand their roles and responsibilities and be confident that there is clear, measurable business value to be obtained from investing in information security risk management. The IT Manager does not ‘own' the IT risks that the organisation faces. They have a responsibility for implementing controls that the business deems appropriate when the probability of an attack presents an unacceptable risk.

    This is a conundrum for senior management, as they do not usually have the expertise to understand the complexities of the IT environment.

  4. Progress from 'project' to 'process' - Key personnel are identified and a project plan developed, including: objectives, timeframes and financial, human and physical resources required.

    While the initial focus should be on a project that implements information security risk management within your organisation, this should include implementing processes that become part of the way that you do business.

    The ongoing controls need to be documented, implemented and reviewed for effectiveness in mitigating or minimising the risks they relate to.

  5. Understand your information assets - It is important to understand the data and information assets that the business needs to protect. Knowing how important or critical this is to the business will drive the level of protection that is considered cost effective. This starts with a simple data classification scheme that communicates to the IT Manager how much of an investment may be required to protect the data.

  6. Quantative versus qualitative approach - Risk management is about managing risk to an acceptable level across the business. Risk assessment is the process to identify and prioritise risks to the business. Risk assessments can be either quantitative or qualitative. There are advantages and disadvantages with each approach with a balance between the two providing the most value.

  7. Understand risks, threats and vulnerabilities - There are some key terms that need to be understood when implementing an effective information security risk management program. Risks, threats and vulnerabilities are just some of them.

    An effective way to understand this is to consider that when a threat (a potential for harm) encounters a vulnerability (an exposure to or lack of defence against a threat) then this results in a risk (a harmful event).

    Examples of threats would be a hacker or a disgruntled current or former employee. Vulnerabilities would include missing patches or updates to virus software, lack of review of security access, inadequate air conditioning in computer rooms, or even unlocked windows or doors.

An information security risk management program can be developed and implemented in a cost effective manner. Without such a program the continuity of the business may be at risk and opportunities missed to reduce business disruptions through security incidents that would far outweigh the costs to implement.

Author Credits

If you would like more information about how to implement a successful information security risk management program or to find out more about effective IT Governance, please contact John Halliday, Director, Information Systems Audit, BDO Kendalls on 07 3237 5883 or email john.halliday@bdo.com.au
Member Login
What are top CEOs thinking about? Read the latest top issues & tips.