Main Aspects of Information Security
Modern realities of corporate security
Corporate security is not a new phenomenon. What we now understand as corporate security has existed since the emergence of trade. Merchants sought to protect their professional secrets from competitors in order not to lose profits.
In fact, modern corporate security is not much different from the security which existed long time ago. Only business realities have changed. Any company wants to be securely protected both from external, and internal threats. This problem is handled by corporate and information security specialists. Their task is to carry out a whole complex of measures that involve almost all spheres of the company's life:
- Protection of trade secrets;
- Internal work with employees;
- Internal counterintelligence;
- Official investigations;
- Economical safety;
- Technical and physical protection.
There is going to be trouble if at least one of these points has gaps. Recently a scandal erupted in the UK: hard disks with clinic patient records that were supposed to be destroyed suddenly turned up at eBay auctions.
The hospitals transferred written-off disks to the contractor company, which, in turn, used the services of a private party.
Instead of fulfilling his duties as a conciesous worker, which means to destroy carriers, the enterprising Englishman put up disks with data for sale.
In this case, internal work with employees and technical protection are two weak links. Let’s figure out why. A too long chain of intermediaries resulted in a leak. The customer did not even know who was directly engaged in the destruction of disks and whose actions needed to be controlled. In addition, the mere fact of transferring discs with unprotected personal data to third parties is a technical omission of the staff.
A responsible approach to ensuring corporate information security would help to avoid this situation. Let’s see what to do to implement an effective data protection system.
Three challenging steps
Before you start building an effective information security system, you need to thoroughly analyze the already existing organization’s data storage and processing system. There are three main steps:
1. Identification of critical information.
2. Identification of weaknesses in corporate security.
3. Assessment of the capabilities for protecting this information.
All these actions can be performed by the staff. You can also order information security audit from specialists. The advantages of the first method are lower cost and non-access of third parties to corporate data. However, if you don’t have experienced security audit specialists, it is best to seek assistance from third-party companies. They will provide a more reliable result and will help to avoid the most common errors.
During the reassessment of threats, the security system not only places a heavy burden on the enterprise's budget, but also makes it difficult for the employees to perform their duties. This threatens the loss of potential profits and competitiveness.
Identification of critical information. This stage involves the identification of critical documents and data, the leakage of which incurs huge losses. This often includes not only commercial secrets.
It is important to remember that third-party auditors are not able to make a list of all the documents to be protected. An auditor should work together with the employee, who is well versed in document circulation.
Identification of weaknesses in corporate security. This task is performed by audit experts. The choice of the scheme for building information security depends on the results of this work.
Identifying gaps in information and, consequently, corporate security, involves not only the assessment of technical means. A very important point is the differentiation of access rights, the availability of an agreement on non-disclosure of corporate information. It is also crucial to understand the extent of employee loyalty to the management as well as corporate environment. This is the responsibility of HR departments.
The theft of information on start-up Mocality (online business information base) by the Google office in Kenya is a recent example when an employee took advantage of his position and stole information. Google had to issue a formal apology to the victims. The head of the office – through whose fault the incident occurred – was dismissed.
Assessment of the capabilities of information protection. This is the final stage of the audit, during which experts draw up the list of specific measures based on the analysis. These measures must be accepted to protect the corporate secrets. The recommendations can be both technical and organizational.
In addition, this step implies the analysis of available finances, since information protection tools may be too expensive. Some of these solutions will be not feasible for small businesses. The need for a DLP-system is most acute in organizations with 50 or more computers.
Information security is just one of many ways (though the most important) to ensure corporate protection. A set of measures is required, both technical and organizational.
Technical solutions for the protection of corporate secrets include DLP (Data Leak Prevention). This software package monitors all information flows in organizations, from e-mail to programs that use encryption algorithms (for example, Skype) or HTTPS protocol. It also controls all removable storage media, corporate computers and laptops.
An important feature of DLP systems is self-sufficiency. A company does not need to maintain the IS Department. A few specialists will be enough. However, comprehensive protection will provide an optimal information security.
DLP systems are more than reliable tools for protection of secrets. They have broader functions: with the right approach, you can get information about the mood of employees in the team, track the movement of key documents, and incoming and outgoing messages. As a result, the use of DLP systems can be an effective tool to aid in such important activities as internal counterintelligence or official investigation.
However, the technical security of data and tracking of employee actions are not enough. Organizational arrangements, work with staff, the development of internal documentation are also vital.
Organizational work involves informing staff about the use of information security systems in the organization, the need to observe commercial secrets and possible consequences of their disclosure, both for the company and for the employee. Building a friendly working environment is another key element of organizational measures. Corporate security is unachievable if employees are mistrustfully eyeing each other. This cold war will hamper business processes. It bears repeating that the work of the HR department is vital.
Internal documentation should clearly outline the responsibilities of employees, as well as their access rights to certain documents. Each department must perform the assigned tasks – no more, no less.
Don’t forget about such seemingly elementary thing as the work of the security service. The physical protection of employees in the workplace equally contributes to corporate security.
A solid corporate protection is only achievable with such a two-way technical and organizational protection, and without exaggerating or minimizing threats.