Information Security Basics You Must Get to Gain and Retain Market Share
Many organisations see information security as something they should do but believe they lack the resources. Some just see it as an overhead that hits the bottom line. But how about thinking of information security in terms of helping you meet your customers' expectations of you?
The Internet and World Wide Web have become great levelers for society and for business, especially for the SME competing against bigger brands.
Take a moment to consider the impact on your business if your access to the Internet was denied you right now, this minute.
The Internet and our interactions with it are critical functions to our business success. That means we must understand the business impact of the Internet, what our customers’ expectations now are, and respond in the best way for our business.
As with physical security where a traditional thief will look for an easy target (poor locks, open windows, doors, etc) so do cyber criminals. They look for the easy target and that is, in general, SMEs due to their poor approach to even the most basic information security precautions!
Why should customers come to you if they do not believe their information is properly protected? Or they cannot trust the information served by you?
Your attitude to information security mirrors your attitude to your customers.
In this article, I shall outline how the Internet has affected customer expectations, describe the 4 key elements of online security to help your business meet those expectations, and recap on those most important and cost effective information security measures your business should take to get those 4 elements in place.
In the online B2C (Business to Consumer) world customers want:
- Personalised service;
- Consistently accurate information;
- Seamlessly and reliably available;
- Via many channels including Web, phone, social media, mobile, email;
- 24/7 availability;
- Business to be proactive in addressing their needs and responding to their feedback.
Customers' definition of what's fast and what's not has rapidly grown more extreme.
Since smart phones became ubiquitous the human attention span has reduced from an average 12 seconds to just 8. That’s less than the average goldfish attention span of 9 seconds!
As more potential customers use their smart phones to search for and request information then we have to be able to respond in these sorts of time scales.
Regarding B2B (Business to Business) companies are taking advantage of the Internet, not only in marketing and sales, but also in terms of their total business processes. They use B2B connections to carry out transactions, running applications and services in the Cloud, generally harnessing the Internet in myriad ways. Even SMEs can have global reach via the Internet.
Customers expect you to handle their personal data securely while at the same time meeting their service expectations of speedy, accurate, personal service, delivering value and quality across several channels. Your brand reputation, and customer loyalty, depends on all of these factors.
Good information security provides a competitive advantage in meeting modern customer expectations by enabling the business to achieve its goal of securing market share.
4 Key Elements of Cyber Security
To meet our customers’ requirements for speed, accuracy and privacy we need to ensure:
- Any information we share with them is readily available when they want it (Availability);
- Accurate throughout its life in all channels by protecting it from being modified, replaced, corrupted or destroyed, either intentionally or unintentionally (Integrity);
- Where necessary protected from persons not authorised to receive it (Confidentiality).
These are 3 key elements to information security.
The introduction of specific legislation to address personal data security concerns has had a significant impact on the way we do business; for example, Data Protection Act (1998), and now General Data Protection Regulation (GDPR) coming into force 25 May 2018. So Confidentiality is increasingly important.
The extent to which we implement measures (Controls) to deliver Confidentiality, Integrity and Availability will depend on a fourth key element – Risk.
What's Risk Then?
Risk is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm - impact on the asset.
Consider the trivial example of crossing the road. We do this all the time and assessing the risks involved are second nature to most of us.
We could adopt the hedgehog approach to risk – taking a blind leap of faith and just going for it. The creature doesn’t understand the risks and acts on impulse alone.
As humans we usually take a more informed approach. So what are the elements of risk in crossing the road?
The 3 components of risk are:
- Threat – (a potential cause of an incident that may result in harm to a system or organisation.) Fast moving car
- Vulnerability – (a weakness of an asset or group of assets that can be exploited by one or more threats.) Soft easily damaged body
- Impact on asset – (the result of an incident, caused by a threat which affects assets.) Injury or even death
Risk = Threat x Vulnerability x Impact on asset
Remove any component of risk (make it zero) and there is NO RISK. Reduce any component and you reduce the risk.
The asset in the crossing the road scenario is our body!
How could we reduce the risk we face when crossing the road?
- Use a pedestrian crossing – reduces the threat to the few cars likely to jump the light;
- Lower the speed limit on the road – reduces the vulnerability implied by the speed difference between the car and ourselves;
- Get a lift in a car – The impact on our health as a result of a collision would be reduced;
- Use an underpass or bridge – This removes the threat completely and hence there is no risk. (NB In some cities using an underpass in certain areas might introduce an entirely new type of risk! (Mugging?)) We need to be aware that sometimes risk reduction might introduce a risk in another area.
Sadly, many organisations adopt the hedgehog approach to risk every day and regrettably they, too, end up as road kill!
Regarding information security you must consider a broad range of threats, vulnerabilities and impacts on the business including:
- The cost of physical environment damage (fire/flood);
- Human error (poorly trained staff);
- Equipment malfunction (server breakdowns);
- Hacking (from inside and outside the organization);
- Misuse or loss of data (accidental and malicious);
- Application errors (software bugs);
- And many others.
Risks must be managed!
The Need for Risk Management
Companies and individuals can be prosecuted if their computer systems are used in illegal activity, even if they are not actually carrying out that activity.
Company directors are responsible for the lawful operation of their business through exercising reasonable care, skill and diligence, whatever its size. This includes managing the information security risks to their company.
Once we have identified the threats, vulnerabilities and impacts for our business we can set about mitigating them. This requires us to investigate how we can reduce each component of our risk.
So, what can we do to reduce risks to our information?
We need to consider the threats from malicious intent and accident. What makes us attractive to an attacker and how this might be reduced without impact on business such as monitoring and detection. What makes accidents likely or unlikely?
We can reduce vulnerabilities by applying appropriate controls based on our risk analysis. Some controls require support with physical and procedural measures including staff training.
Structure of IT systems and how they are used can reduce the impact of any one compromise. Fall-back and recovery plans help limit damage through rapid and complete recovery.
Can’t I just outsource my risks and make them someone else’s problem?
Unfortunately, it’s not that simple. You can outsource work, such as services, infrastructure, software development, call centre, etc. But the vendors’ risk becomes yours.
Company directors must assess the risks of any outsourced service, and investigate mitigation, before contracts are signed.
You could buy insurance but while this will help you replace tangible assets it cannot rebuild your brand reputation.
Common Online Threats
Let’s look at the most common online threats to your business today.
Ransomware is arguably the biggest threat to us all today.
By inserting malicious code into your system the criminals encrypt your data then demand a ransom before they give you the key to decrypt it. This form of attack is attractive to criminals as it is an easy way to make money with little risk.
The most recent example that came to everyone’s attention was WannaCry on 12 May 2017. An estimated 200000 computers were affected. The fact the NHS was severely affected brought home to many the potential harm such attacks can cause.
Surveys show the number of Ransomware attacks on small organisations and individuals is increasing.
Phishing is another common form of attack where the criminal attempts to obtain sensitive or useful information from a victim such as user names, passwords, and credit card details (and, indirectly, money), for malicious reasons.
Cyber criminals conduct comprehensive intelligence gathering when preparing an attack. Social media are rich resources for that intelligence.
What sensitive information are you and your staff leaking onto social media?
Have you trained your staff how to recognise Phishing email and how to deal with it?
Hacking encompasses many means to gain unauthorised access to computer systems. Most of the hacking stories in the news media concern big brands.
However, cybercriminals are increasingly turning their attention to smaller firms. Nearly half of the global attacks during 2015 were against small companies with fewer than 250 staff.
Cyber criminals view SMEs as easy targets due to their poor cyber security.
But, SMEs are well placed to steal a march on the big corporates and do a good job at defending themselves against cyber criminals.
Due to their size SMEs are more agile through less bureaucracy, fewer systems and the measures needed to achieve good information security and even information assurance governance are all within easy reach for them to implement.
So, what can you do?
Education and Awareness
Everybody in an organisation has a responsibility for security so you must provide staff with the tools to complete their work securely.
You must train all users of your information assets to be aware of the threats and be competent to fulfil their roles. Staff must understand your organisation’s information security requirements.
Awareness programmes drip feed your security message to staff so that security becomes second nature and part of business as usual.
This will help build a security culture across your organisation.
There are 5 technical controls that research by Lancaster University, and government evidence, has proven can protect your business from up to 80% of common commodity cyber threats:
- Patching (updating software and operating systems)
- Access controls
- Secure configuration
The government backed Cyber Essentials scheme assesses an organisation's security in these 5 areas and, if satisfactory, awards the organisation a Cyber Essentials certificate.
The Cyber Essentials certificate gives your customers the confidence your business has appropriate security measures in place to protect their information.
Cyber Essentials is increasingly a requirement to bid for central and local government projects.
It is an essential part of data protection/GDPR preparation that your information systems are secure. Cyber Essentials delivers an excellent foundation on which to build.
BPH Training Ltd delivers the IASME accredited Step by Step Cyber Essentials course. On this course we explain the scheme, the 5 controls and how they can be implemented. It also takes delegates through the process preparing you to undergo assessment. We can also help you with your assessment submission.
Our next Step by Step Cyber Essentials course is scheduled for 28 June in Bristol. You can book a place here.
Call us on 07500 004835 or email us at firstname.lastname@example.org for more information about our training and protecting your organisation’s information.
Customer Expectations You Must Meet Now - Michele McGovern