When you’re building your information security defences, you obviously need to prioritise where to focus your energy and resources.
This means you need to know where to look for weaknesses, understand the kinds of things that typically go wrong, and then identify where your vulnerabilities are. Obviously you’ll do this as part of your risk assessment.
If you’re just thinking about cyber security, you’re in the wrong place here. (Nevertheless, do not underestimate the size of the cybercrime problem.) Here, we’re looking at information security in its entirety. If you want to build a complete, all-encompassing information security system (such as the ISO 27001 Information Security Management System) that extends beyond the digital realm, you need to think ‘big picture’.
Hopefully this will inspire you to think about aspects that you may not otherwise consider.
Let’s start with this and get it out of the way, but we’re not going into detail here. Threats come from left, right and centre in the shape of ransomware, APTs, DDoS attacks, phishing scams, website vulnerabilities and so on. You really need an approach to this whole aspect of your business which involves more than just keeping antivirus and anti-malware software up to date and backing up important information. The nature and size of your business will determine what resource you allocate to this. If you don’t have the skills in-house, look to get the support of a qualified supplier even if only to perform a risk assessment.
While it may fall under the auspices of general cyber threats, this is one area worthy of consideration on its own. Email is one of the primary mediums of communication, with traffic flowing two ways. The main problem here is that staff can fall prey to phishing scams especially if they haven’t been trained adequately on how to identify and avoid these attacks. Also be careful of sending email attachments with sensitive data - make sure to password protect documents or use other, more secure means of sharing files.
This is a big one. We’re only human and we all make mistakes. Technology can go so far in helping us, like filtering out spam in our emails. But most information issues are actually the result of human error, for example: employees choosing weak passwords, leaving documents in public places, sending emails to the wrong recipient, accidentally deleting data and so on. Policies, procedures and training are essential, but you should not be afraid to implement your disciplinary procedures where it's merited. Staff need to know how important this topic is.
Social engineering is a tactic that relies on manipulating people to reveal sensitive information or to perform certain actions. Tactics can include impersonation, pretexting, and baiting. Basically, it’s falling victim to con artists. Staff need to be aware of the threats and be able to identify these situations. This is particularly the case when dealing with people on the phone.
Sadly, you sometimes do get a bad apple. Employees with access to your company’s sensitive information can intentionally steal sensitive data, leak confidential information, instal malware and just generally make a mess of things for you. To prevent insider threats, it’s important to have strict access controls in place and to regularly monitor employee activity - and recruit the right people in the first place.
Physical Security Breaches
This includes unauthorised access to physical premises or equipment including theft, vandalism, or sabotage. To prevent physical security breaches, it’s important to have secure physical locations, such as locked doors and restricted access areas, and to use surveillance cameras, alarms and other security measures.
Supply Chain Attacks
This refers to breaches that occur through an external supplier or third-party that you rely on. The attacker can target these third parties and compromise their systems in order to gain access to the your sensitive data. To prevent supply chain attacks, it’s important to keep a check on the security protocols of your suppliers, as well as to have a robust incident response plan in place.
Overall, it’s essential that you’re aware of the many different sources of threats facing your organisation. There’s possibly more than listed above, but hopefully this gives you a starting point.
The ISO 27001 Information Security Management System is the ideal mechanism for enhancing information security in your organisation. To find out more about this internationally recognised best practice standard, get in touch with the Technical Sales Team at Alcumus ISOQAR.