Organizations consider employees as their biggest asset. However, they are vulnerable to Cybersecurity threats that expose the organization to potential dangers. Employees are widely accepted as the biggest threat to Cybersecurity as the human factor is considered to be the weakest link in Cybersecurity. For most of security breaches employees are responsible and it has been observed throughout the history. Much attention is required to the human factor as well as the technical aspects of Cybersecurity. Non-compliance with security policies is one of the greatest challenges faced by organizations today.
A security policy is a formal document that outlines the acceptable and non-acceptable behavior within an organization with relation to information security. As part of the implementation first the IT security policy must be developed and approved by the top management of the organization and then communicated to all employees within the organization for compliance.
A sample IT security policy may cover the following areas.
The successful implementation of information security policy is associated with challenges in areas such as management policy, dissemination, user awareness and user behavior. A number of factors have a direct effect on user behavior in relation to information security policy, and these can be categorized into human and organizational factors.
There are a number of international standards with regard to IT security policies. One of the key standards for IT security policy within an organization could be adopted through the following standard.
ISO/IEC 27001:2013 (also known as ISO27001) is the international standard that sets out the specification for an information security management system (ISMS).
Its best-practice approach helps organizations manage their information security by addressing people and processes as well as technology.
The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Threats such as social engineering attacks have a direct impact to organizational security. If the users are aware of these types of attacks they are able to successfully mitigate such attacks. If we are to take an example a phishing mail which comes to a user’s inbox. If the users are aware of not to click on the links and submit sensitive information like passwords to the attackers there is no ambiguity for the user about what is the correct thing to do in such a situation. The IT security policy is a document that specifies the correct use of organizational resources in the form of acceptable use in the policy. Another example is in case a user is exposed to a social engineering attack whare the attacker is using impersonation as an attack vector to gather information from an organization. If the users are trained to be aware of such attempts these types of attacks can be easily thwarted.
Today’s organizations function with the assistance of computer and network technology. Widespread use of technology yields digital vulnerability for organizations that do not adhere to clear rules and guidelines regarding technology use. Employee will act in accordance with their own perception of acceptable use and system management will be ad-hoc and inconsistent. Staff will be unaware whether they are acting within the organization’s risk appetite or not.
The risks of not defining acceptable use and management standards for IT systems include:
Effective information security policies protect the staff as much as the organization.
A strong training program that is contextually appropriate for each position gives staff members the knowledge they need to understand and properly respond to cyber threats.
Strong passwords can first and greatest line of defense. This should cover areas such as password duplication, guideline on creating strong password, and when to reset the password.
Implement Bring Your Own Devices (BYOD) policies to set expectations for which devices employees can use, the security these devices require, and how the data on these devices will be managed. A BYOD policy should also cover remote wiping of data, device locks, and WiFi access.
Certain types of internet usage can put organization at a higher cybersecurity risk. Implement clear policies that define how employees may use the internet, what types of content should be avoided, and what devices should be used to do so.
Hackers can leverage social media to distribute malware and gain access to user accounts. A social media use policy dictates how employees can use these sites and explains which activities are prohibited. At the same time apply the appropriate restrictions as needed.
USB drives and personal cloud storage accounts might be convenient, but they can open up many problems in the business environment – mostly because data can end up in places it shouldn’t be.
Employees should be trained on the risks associated with storing company documents in unsecured places. The organization should have designated storage location that they can control to store files.
When people have too many permissions, it opens up to more risk. Therefore, provide users with role base access.
This facet of your internal security policy should cover user account audits and management as a whole. For example – what happens when an employee is fired? Who is responsible for removing user access? And at what point does this removal happen?
You need to have systematic support at all levels of the company if you want to fight back against sophisticated attackers. Cybersecurity should be presented as a serious topic for each employee, and ongoing training should be delivered to keep your staff knowledgeable and trained.
Staff members may fall victim to security threats simply because they don’t know who to contact if they run into problems. The IT policy should clearly define communication channels – who to contact, for what specifically, and how.
Information Security Governance controls and directs the security approach of an organization and then coordinates whether the established security procedures are effective and practiced by the organization continuously.
When we talk about information security, the first thing that comes to our minds is “Cyber Attacks”. Cyber-attacks visibly target the IT systems and the IT network of an organization. Hence, IT department or Information Security team is designated as the responsible party to take care of all the information security related issues of the entire company in general.
The IT systems and network are used to transmit, process and store information that related to the business. Various business units of the company have the exact knowledge about the data they work with daily basis. They understand the sensitivity of those data and as well as the business criticality of a particular system. Therefore, business data users should involve in making decisions on securing the data they create, process and store and as well as, they should be responsible to safeguard the data.
Safeguarding information is not only a technical task but should be considered in non-technical aspects as well. There are numerous ways which a data breach/ data theft can happen physically or verbally.
Whenever a data breach happens, it will affect not only few people of the company but will tarnish the reputation of the whole company. Customers will lose the trust and as a result, the company may have to face financial issues as well.
Therefore, information security should be included into corporate governance as a subset, as it has become a business related challenge. It should be incorporated in the company’s business strategies. Effective security requires the active engagement of executive management to assess the impact to the business due to emerging threats and provide strong cyber security leadership.
Information security always should be established in a top down approach. From the Board of Directors/ CEO to third party contracted staff members as it is the best method to impose rules and regulations within the company. It is recommended to employ a person with right expertise and experience in Information security field to the C-Suite of the company.
A Chief Information Security Officer (CISO) will be responsible to develop an appropriate security governance body that consists of representatives from each departments of the company including the board members and CEO. This body should work as a platform to discuss the security risks and make decisions which add more value to the corporate business strategies.
It is not an easy to task to draw the attention of the senior management and get their blessings to set up a successful information security framework. They see the high cost of the security solutions but there is no visible return on investment. Hence, the CISO and team should be able to convince the senior leadership the drawbacks of an unsecured business and the long term benefits of a secured business in a manner which they would understand. That is, using financial facts and figures and pointing out examples from real world cyber-attack incidents emphasizing the business related risk.
When establishing information security, always select an appropriate framework that caters the security requirements of the organization. Standards such as ISO 27001:2013 provide proper guidelines on that.
Following questions will help you to decide what kind of approach should be taken when implementing security.
In fact, the correct approach to governance is, identifying what security decisions that needed to be made and who will make those decisions.
A good security governance programme should;
An organization must consider the security requirements alongside other business priorities such as financial governance or health and safety. Security needs too should be analyzed with the same priority as financial analysis when making important organizational decisions.
An organization should agree on a suitable security governance structure to be integrated into the corporate governance which is tailor-made for their company rather than just following up a common framework. Adopting an information security governance process does not achieve good security unless it is being practiced by everyone of the company every single day.
If yes, then your business will be vulnerable to a vast range of security risks, regardless of the size of your company. No matter whether it is a self-employed business, a start-up or a global conglomerate, whether you use IT systems to process data or do it all manually, if there are financial data, customer or other stakeholder data, business plans, staff data, you must implement data security procedures.
To make it clearer, let’s see why data security is important.
Every organization has become a potential target of cyber criminals, despite of the size and the nature of the business nowadays. That is mainly to either disrupt the business process or to steal data.
However, majority of cyber-attacks are carried out with the intention of stealing data rather than being only destructive.
With the emerging digitalization, data has become a financially valuable asset and data is now considered as the new gold. Most often, criminals are looking for information such as, financial details of the business, financial details of customers, stakeholders and employees, confidential personal information of the customers and employees, intellectual properties, details about the IT systems and infrastructure of the company (to carry out breaches such as manipulating online payment gateways to purchase items from online stores for cents). Eventually, these stolen data will be sold for higher prices and will be misused against the business or its stakeholders causing even more damages.
A successful security infringement will cause major damages to the business. The impact can be mainly divided into three main categories; financial, reputational and legal.
A security breach often result in massive financial losses due to theft of confidential information including theft of financial data, theft of money, manipulation of financial data, disruption of on-going business processes, loss of business contracts or partnerships and not last but least, it will cost a considerable amount of money for the organization to recover from the attack as well.
Loss of reputation is another adverse consequence which a company has to face due to a security breach. The current and future customers, business partners will lose the trust and eventually it will cause financial losses indirectly. Nobody will be happy about falling their money, financial data and personal details into the wrong hands.
Data protection and privacy laws of a country and/or regulator require a company to safeguard all confidential information of its stakeholders. If this data is compromised intentionally or unintentionally, the organization will have to face fines and regulatory sanctions. This again will cause indirect financial losses and reputational damages.
Security breaches can wreck even a well-established organization. An effective information security programmeme will;
Therefore, when all these advantages and disadvantages are taken into account, it is obvious that every business should establish an information security programmeme, incorporate it into the business strategies and practice regularly.
If you have a small business, you may be asking yourself, “Why is privacy important?” Don’t assume you’re safe from hackers because you aren’t a global enterprise.
Suppose your personal data is lost, stolen, improperly disclosed, or improperly used. What will be your stance on it?
If a company violates its privacy policy and improperly shares your data with another company. Will this impede your decision to liaise with them in the future?
Consumers have become increasingly connected and are constantly sharing information online. They are researching, purchasing and using online products and services, via any number of connected devices. They are also opting in to share their preferences as part of interactions on social media and search sites. Customer data is being collected by device manufacturers, desktop and mobile apps, internet providers and mobile operators for their own purposes or to sell to other businesses.
Most businesses today are connected to other business partners in our highly interdependent world commerce. Businesses may be using a hosted webstore, a separate email marketing provider and a different website hosting operation. All of them deploy different ways of dealing with customer’s information. When businesses offer or receive customer referrals, that information is coming and going and potentially exposed and treated differently by each entity.
Due to information exposure, businesses need to think more broadly and deeply about privacy. Privacy isn’t just a few paragraphs in a terms and conditions of use page in your website. Privacy is embedded in everyday interactions with customers. Privacy is something that can impact a brand, disrupt the customer experience and potentially damage a company’s reputation. Protecting user privacy will enable you to drive more revenue and gain more customers.
Safeguarding customer privacy is more than a protective measure; it is also a strategic opportunity for brand growth and a potential business opportunity for startups and entrepreneurs, as well as large companies.
Through an increase in connected devices, combined with the increasing consumer concern around security and privacy breaches, will further drive the already substantial market opportunity around privacy.
Entrepreneurs and startups have an opportunity to build new business as a result of this emerging reorientation around privacy and trust. Business opportunities will surface around privacy platforms and services for businesses and consumers.
Demonstrate your commitment to customer privacy. There are steps that any business can take to incorporate best practices for protecting customer's information. First and foremost, start incorporating privacy into your products, not just into your privacy policy.
To show that your business takes privacy seriously, provide customers with tips on safeguarding their own privacy when conducting business, such as:
These steps and considerations will go a long way in protecting customers’ privacy as well as protecting your business.
Data breaches can cost businesses millions of dollars. Large companies can sometimes absorb these expenses but it damages their reputation and puts clients sensitive information at risk. For smaller businesses, a data breach can lead to business failure.
Malware, like ransomware, can lock your data until you pay a large fee. Other data breaches could lead to a loss of customers or disruptions to your operations.
Data helps you optimize your operations and maintain accurate records. It can also help you serve customers more effectively. Data gives you a competitive advantage. And it’s a necessary tool in today’s business environment. But not all data is useful. Some of it gets old or becomes obsolete.
Delete obsolete data periodically to protect your business. If you have printed records that are no longer useful, you should shred and dispose of them offsite.
A data breach can do long-term damage to your company’s reputation. This is especially true when customer data is involved. If you keep customer data, your customers are trusting you to keep it safe. They also trust you to dispose of it safely when you no longer need it.
If you have a small business, you may be asking yourself, “Why is privacy important?” Don’t assume you’re safe from hackers because you aren’t a global enterprise. Take steps now to implement business data protection across your company now.
Ensure your employees understand Privacy legislations and communicate with service and staff about why you are collecting the data
Analyse a list of all sensitive and personal data that you store and process
Establish a suitable privacy policy and periodically review it to incorporate crucial changes if any
List what access rights should be granted and how changes should be handled
Ensure your customer's consent is available when you process their data
Implement a procedure for handling data breaches
Carry ot data protection impact assessments
Determine whether you need a DPO and appoint if needed
In today’s world every organization is at risk of cyber-attacks. Data breach and security incident surveys conducted by various firms confirm the above statement. Some businesses are targeted more than others, according to Verizon Data Breach Investigations Report (2019), small to medium businesses(SMBs) are the prime target for cyber-criminals and represented 43% of all data breaches. SMBs attract cyber criminals due to the false sense of security that these businesses have when it comes to cyber-attacks.
In the context of SMBs it is increasingly evident that employees do not have sufficient knowledge or training to detect or avoid potential cyber-attacks. Hence the ideal way to tackle this issue is to create a risk aware workplace culture, and that should start with cyber security awareness. Cyber security awareness is multidimensional and the ideal balance between knowledge and training is crucial. Knowledge can enhance employee awareness of the implications of cyber threats while training can help employees to act as a line of defence against potential attacks.
It is imperative that organizations create a cyber-threat knowledge culture within employees. This can be achieved using periodical workshops, demonstrations, flyers, e-flyers and carefully prepared advisories. Lack of specialist knowledge can be a hindrance for SMBs in achieving these tasks. Therefore, acquiring security specialist assistance and obtaining and circulating advisories and guidelines from government and non-government authorities can go a long way in trying to fill that knowledge gap. Irrespective of the method used, the objective should be to create a constantly updating knowledge culture that emphasize on the evolving nature of cyber threats.
Training employees to detect and avoid cyber attacks can be a challenging task. However, with the right approach and assistance this can be achieved with a high success rate. In this regard, CEOs and managers are encouraged to create a culture that incentivize training. Periodical security training shall include and be not limited to domains such as emails, internet, social media, digital media devices, password management and mobile phone usage.
Creating a culture around cyber security awareness in your organization should not give you a false sense of security. As it does not mean that your company is fully resistant to the risk of data theft or cyber-attacks. Employees should also be trained and informed about potential data and service recovery strategies. They should be informed about their roles and responsibilities with respect to the company’s recovery strategy.
Your employees should always know that the weakest link in cyber security is the human factor. If they are unable to make an informed decision about a potential risk involved scenario such as network connections, email attachments, app usage, they should be directed to a knowledge source which can assist them in their daily activities. Your company’s security posture is only as strong as your weakest employee, hence it is your responsibility to facilitate a risk aware culture using all the available resources.
Verizon Data Breach Investigations Report (DBIR), Verizon, New York, USA 2019
Every business around the world uses software products for efficient management of business processes, communication, and multitude of other activities. Irrespective of the type of the product, almost all of these require activating licenses. A license can be perceived as a contract between the software vendor and its end user with respect to use of one or more copies of the product. Software licensing terms and conditions usually include fair use of the software, the limitations of liability, warranties and disclaimers and protections if the software or its use infringes on the intellectual property rights of others.
A license agreement typically stipulates the agreed upon use of the software such as, how the software can be used, where it can be installed, number of instances allowed, copying modification and redistribution limitations etc. There exist various types of licensing agreements with varied restrictiveness with respect to the above-mentioned stipulations.
It is imperative to understand the relationship of a license agreement and patching. A patch is a set of changes or updates to the source code of a program which fixes security vulnerabilities, improve performance, functionality, and usability. Patches can be applied to software or hardware (firmware) based products and services. Patches can be manually enforced or automated depending on the complexity of the required changes. Importance of patching cannot be overstated as many businesses now include ‘patch management’ as one of their key activities. Typically license agreements include provisions for patching and subsequent improvement of the product or service.
Licensing and patching play an important role in overall IT governance of a business. They can be perceived as one of the key factors for product and service sustainability. In short term, usage of unlicensed software can be attractive to small to medium enterprises due to the costs involved. However, the studies indicate legal and security implications can heavily outweigh these short-term gains.
Unlicensed products and services can result in catastrophic legal implications as in most legal systems around the world it is now considered under both civil and criminal law. Although certain products and services initially work without a license, vendors now have the capability of verifying the registration and subsequently render the product unusable. An abrupt termination of product functionality could result in a huge financial loss for your company. In addition to these drawbacks, it is important to realize unlicensed products are never backed up by technical support, therefore during a technical failure you have no choice but to terminate the usage of the product or service. This is a productivity risk that is simply not worth taking. The biggest and most serious concern of unlicensed products is not any of the above, it is the complete or partial unavailability of patches and fixes. This is a serious drawback which can open up your organization to numerous cyberthreats and the results can be calamitous. According to the Harrison Group, 24% of pirated copies of Windows were either infected or they automatically downloaded malware as soon as they connected to the Internet. Even if a software product is not malware-infected itself, it can still cause a wide-range of security risk due to unavailability of patches and updates. It is evident that any short-term benefit of unlicensed products and services is heavily outweighed by the drawbacks mentioned above.