Business today is information centric for manufacturing and service delivery organizations. Information is created, stored and processed in every step like industrial controls, business transactions, enterprise collaborations, management information system, decision support system and executive information system. The pull/push based supply chain management and customer relationship management which are backbone of today’s business are generating a huge amount of important information.
The change in business process from manual to electronic involves people, procedures and technology. The combination of all three components results in a greater level of coverage, depth, productivity and availability in business. To sustain in the competitive market, organizations cannot compromise the above factors. Development of Information Technology has made easy to run the business creating new strengths and opportunities along with known and unknown threats.
| 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks. 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. 81% believe security is a high priority to their board, but only 55% have a security policy. 77% say protecting customer information is very important, but only 11% prevent it walking out of the door on USB sticks. Only 8% encrypt laptop hard drives.
~ Information Security Breaches Survey, 2008. The Department for Business, Enterprise & Regulatory Reform, UK |
Information is an asset and has to be protected from unauthorized disclosure to competitors and media and must be available when needed with accuracy and completeness. Ensuring confidentiality, integrity and availability of information is essential to maintain competitive edge, cash flow, profitability, legal compliance, commercial image and branding. Organizations, which do not treat it as an asset, face the consequences of negative growth and shortly vanish from the market. Now-a-days, securing information is business security.
All information, which is sensitive, critical and has commercial value, exists in printed paper, stored electronically, transmitted by post of electronic means, spoken in conversation has to be protected. It damage trustworthiness and reliability and reputation within hours earned through efforts for ten years or more. Some countries like the USA and UK have regulations that have provisions for securing information. Failure to secure information results in severe penalties.
Everyone including the board, CEO, line managers, staff, users and customers are responsible for information security. Upper level management is responsible for formulating and enforcing Information Security Policy. Middle level managers are responsible for operational activities and awareness. Lower level and users are responsible for following policies and complying with control mechanisms.
Information has a wide range of threats including natural threats, social threats and technological threats. Risk is a potential harm or loss of asset. Vulnerabilities are weaknesses in victims that allow a threat to become effective. Threats are actions of attackers that can cause harm which depends on skills, knowledge, resources and motives. Minimizing risk means reducing threats and vulnerabilities. Information Security can be achieved through minimizing risks.
Google has become the largest advertising company on the Internet. The majority of their revenue comes from targeting advertisements to specific consumer needs and this is basically done by collecting data on consumer surfing habits. Millions of users among of us are providing personal information through gmail, google talk, WebAccelerator, AdSense and other freely available features unknowingly. What happens if our valuable business information asset is taken by others? Perceived value is less than intrinsic value using some services.
Digitization of business transactions requires huge amount of resources on technology and skilled and efficient human resources. The challenge of effective and efficient use of technology has never been greater than today for business organizations. Lower configuration of technology and people welcomes competitors to grab the chunk of profitable business which cannot be considered to be an option of today’s business managers.
Valuable information can be lost through improper physical environment, codes and human behavior. Physical environment includes keeping out of unauthorized person access to and protection of data against fire, water, power loss and earthquake. Code attacks are those generated from virus, worms, logic bombs and trojan horses. Lower configuration is also a major challenge for Information Security. Present information technology is based on Client-Server technology. Networking technology provides unlimited distance from server to clients. Millions of Gmail and Yahoo users are not transparent to their respective servers about location and distance. The conversation between server and clients are also important segments of security. Distributed Denial of Service(DDOS) attack is also very popular in networking environment. Risk is not only associated with physical and technological means but also equally contributed by human factors. Social Engineering is widely used for taking information from others. Woman and children are used in most of the cases. Amount of spamming and phishing attack is increasing day by day. Most of the spyware codes records the keylogs and screenshots and sent to them where they are designed for.
Hackers compromise assets just because of making awareness to the asset owner about vulnerabilities. Hackers do not harm to the asset. Crackers attack information with malicious intentions. Competitors and rival companies do target for research and development, plans and strategies of other companies. Students are enjoying with taking unauthorized information from organizations. An FBI report mentions that 67 percent of information theft is done by employees. Politics and ideology stimulate people to take information from opponents.
Information Security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize returns on investments and business opportunities. Information Security is possible through varieties of works. It is a comprehensive approach. It starts from generating/creating information to disposing it. It also deals all three components; namely; people, procedures and technology. To prevent it from theft of information, we have to take of care of physical facilities, access control and awareness. Formulation of good policy and effective enforcement is basic work for information Security. Organizations which do not have any policy are more at risks than those who have it. Information Security Policy is a framework document that outlines how an organization can use the best practices to protect the information, the most important asset from being maliciously or unintentionally changed, make it available where and when needed and ensure that only those who have legitimate rights can access to it.
| A large financial services company in UK had outsourced their customer relationship management system (CRM). Unfortunately, one of the outsource provider’s laptops had a virus containing a key logger. This enabled an attacker to capture one of the outsource team’s user ID and password. The attacker then used these to access customer details and launch phishing attacks against customers registered in the CRM system. |
Organizations lack scale to implement technology independently, technical skill sets in existing staff, complexities of implementing technology which are barriers to entry and pricing structures encourage organizations to outsource their job. While outsourcing the work, organizations must carry out risk assessment, control, ongoing monitoring and information access level.
Keeping hardware and software in current version reduces the risk. Avoid installation of applications from unknown sources. Limit the user privilege using access control. Keeping the antivirus/antispyware updated database also can reduce the risk. Most valuable information transmission may require virtual private networking (VPN) and encryption. Information related equipments hard drives, flash drives and printed documents must be disposed carefully so that any information cannot be extracted doing dumpster diving.
Information Security increases cost of doing business. Business managers have to calculate the cost for implementing information security controls and not doing it. Cost of disruption of service, incident response cost, direct financial loss and damage to reputation are to be considered.
To reduce security threats organizations have to integrate security into normal business behavior through clear policy and staff education. Deploy integrated technical controls and keep them up to date. Respond quickly and effectively in case of security breaches by planning ahead for disasters and contingencies. Every planning should be tested and periodically reviewed. Understand the security threats by drawing on the right knowledge sources and select the controls from ISO/IEC 27002 to reduce the identified risk to an acceptable level. Use risk assessment to target on security investment at the most beneficial areas.
Information security is an emerging issue of present and future business. Organizations, which integrate information Security, are having sustainable competitive advantages than those which are not opting it. Information Security became a winning factor rather than a qualifying factor of future business.