Equally, information security isn’t just about protecting your business from fraudsters and hackers. It’s also about human error. In many cases, management is unaware of the risks faced through IT systems. These are risks that can be minimised considerably just by implementing the correct privileges and access rights.
For instance, the simple act of making a mistake can lead to bad data or inadvertent data deletion. The consequences of such errors may be every bit as devastating as those caused by a deliberate attack.
Although we have good guidelines, such as ISO 27001, organisations in the UK must understand that they desperately need to invest more time and resources when it comes to information security management. This should not be an isolated, one-off exercise that happens under the auspices of the IT Department, but rather an ongoing activity that demands the full backing of senior management.
Due to the fact that information security is a corporate issue, not just another IT problem, strategic responsibility for ensuring that an organisation defends its assets in an appropriate manner can no longer be delegated to the IT director. The whole company has to take responsibility, and this has to be driven at Board level.
Ultimately, it’s about having a sensible, manageable security policy and professional business rules for everyone to follow rigorously at all times.
No member of senior management wants to see their company hit the headlines for the wrong reasons. To mitigate against this, regardless of what legislation may or may not be in place, the Board must take information security compliance seriously and, more importantly, assume responsibility for its management.
