Every week there are stories about security breaches and guidelines issued on improving security to avoid breaches; from trade bodies, industry experts, software vendors and the Government. For many SMEs, the whole subject can be confusing. Is this something they should be concerned about? And do you, for example, have to do everything in the guidelines, or just some things? This series of blogs provides an introduction to Information Security and what it means for an SME.
Before getting to ‘what is Information Security’, a definition of ‘information’ is needed. Many people think of information as anything that is on their computer systems, possibly with a few pieces of important paperwork such as client contracts.
Information is anything that is required to be ‘controlled and maintained by an organisation, along with the medium on which it is contained’. Translated into English, this means it is anything needed to run a business. It does not matter if it is stored electronically, on paper, or even something that is talked about. It includes client information, HR records, business strategy and finance records, intellectual property, designs, code etc. Some examples:
- On Paper – stored in an office or offsite in a storage facility. Includes HR records.
- On desktop, laptops, tablets and phones
- On USB sticks and USB drives
- On Websites
- On Social Media accounts
- In the Cloud
- In Databases
- In Emails
- In SMS messages
- In code libraries
- In designs
- In our heads – communicated verbally
Information Security is the protection of all types of information from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.
Guidelines to improve security address items from the list above. If the guideline is, for example, ‘use complex passwords that contain at least 8 characters including a number and upper case letter’, it addresses unauthorised access. However if a third party gets access to a password, irrespective of how complex it is, it can be used to login, causing a security breach.
Improving Information Security
Improvements are made to ensure sustained business success and continuity, and to minimise the impact of information security breaches. Continuing with the example of a password, this one will be for the company Twitter account. The obvious options for improvement include: making it longer, not writing it down, making sure that anything written down is stored securely (such as in a locked drawer), and enabling multi-factor authentication. When multi-factor authentication is enabled, a confirmation code is sent to another device, usually an SMS message to a mobile phone when someone tries to log in – this has to be entered to complete the login.
Three aspects have to be considered before making improvements.
Making passwords longer – reduces the chance of someone guessing it (increases confidentiality), but it is more difficult to remember and has a higher chance of being written down to make sure it is accurate and complete (integrity).
Avoid writing it down – improves confidentiality but not integrity (as it could be forgotten), or availability (if the person that knows it is not available).
Store in a secure area – gets around the issue of an unauthorised person gaining access, but if the one person that can get into the secure area is not available, then no one can log in (availability).
Enable multi-factor authentication – improves confidentiality and integrity, but there is an availability issue if the person with the phone that will receive the SMS message is not available.
So what is the answer? It depends on the business risks of having someone taking over the Twitter account and potentially tweet links to inappropriate websites, or text that could cause offence. As Twitter is a key communication channel to most businesses, the risk is high and therefore multiple actions are appropriate. The actions are likely to be:
- a) have policies for storing sensitive information in a secure area (this could include a clean desk policy),
- b) enabling multi-factor authentication,
- c) storing the backup codes that are generated when multi-factor authentication is enabled,in a secure area that can be accessed by two or more senior members of staff and,
- d) training staff to inform them about the policies and how to access the backup codes.
What is Cyber Security?
Many people switch between the terms Cyber Security and Information Security, but they are different. Cyber security is a subset of Information security. It covers security measures for networks, computers, mobile devices, email and anything else related to IT. It does not cover aspects such as physical security of buildings, exposing sensitive information in public places, paper records and dealing with social engineering threats, ie.the ‘human factor’.
Information is anything that is required to be controlled and maintained by an organisation, including the medium on which it is contained. It does not matter if it is stored electronically, on paper or something that is talked about. It includes client information, HR records, business strategy and finance records, intellectual property, designs, code etc.
Information security is the protection of all types of information from unauthorised access, use, misuse, disclosure, destruction, modification, or disruption.
Improvements to information security are made to ensure sustained business success and continuity, and minimise the impact of information security breaches. Three aspects have to be considered before making improvements. Confidentiality, Integrity and Availability. The resulting action will be a compromise between them.
Cyber Security is a subset of Information Security. If there is no mention of physical security, paper records or dealing with social engineering, Cyber Security is being covered.
Find out more on how to improve your information security at http://wadiff-consulting.co.uk/first-step-to-improving-information-security/