by Vince Warrington
| 1 August 2016
A very large, global business engaged us with a view to creating a new Information Security Strategy after suffering from a number of security breaches which incurred significant losses – one of which was valued at over £20m.
After reviewing their current Strategy and Policies, we discovered four key areas that needed improvement;
- Their current strategy was too focused on technology, with little attention given to the human factors in Information Protection.The result was a strategy that dictated technical solutions (“You must use this specific type of Firewall”) but neglected to consider the wider implications of security.
- Information Security decisions were based entirely upon what the IT Department thought it should be doing, with no input from the business.
- There was no clearly identifiable single point of contact for the business to engage with for Information Security concerns.
- The current practices of the IT Department were directly contributing to the loss of information, with issues such as cloning current or former user accounts for new starters, failing to revoke access for users who had moved on, and neglecting to fully wipe desktops, laptops and external hard drives prior to re-use or disposal.
After discussing the results of our investigation, we agreed to revise their Information Protection Strategy to bring them in-line with current standards, and to give them the flexibility to continue working in a secure fashion without being over-burdened with security.
Central to the new approach was the creation of an Information Security function within the business, reporting directly into the Chief Information Officer.
This enabled the security function to have a voice at C-Level, gave the employees a single point of contact for information security issues and advice, and allowed a clear demarcation between information protection policy and security technology.
Other improvements included;
- A significant reduction in security breaches.
- Installation of a risk-based information protection approach to ensure appropriate protection levels.
- Established a regular, on-going Information Protection Awareness programme for staff, which provided baseline training for everyone and specialised courses for those who needed more in-depth training.
- Enabled a programme of regular monitoring of Information Security Awareness, enabling management to analyse metrics on how well the company was performing.
- Revamped processes within the IT Dept. to eliminate processes detrimental to security.
- Enhancing the in-house Project Management function by including Information Security in the appropriate checkpoints and gates,helping to ensure that no applications were released onto the estate without first being security accredited.
- An increased level of Information Protection awareness amongst staff.
- Prove that all information assets were being appropriately protected and monitored.
- Establish a positive Return on Investment,when the Information Protection budget was compared against previous losses.
Vince is an expert in data protection and cyber security. He runs Protective Intelligence, an information security consultancy.