Information Insecurity; It's a People Problem
A Board member of a big organisation approaches his Governance, Risk and Compliance (GRC) team and says
"Guys, I know we are supposed to do this properly, but I really need this software bought quickly, so I want you to do a light touch due diligence process on it. Okay."
This is the Board member with overall responsibility for its Information Security programme.
Information Security - it's a people problem.
A corporate insurance client places its disaster cover insurance with a London broker and says to the broker
"Obviously this deal is confidential."
Three days later she gets a phone call from another London broker who says
" I hear you've placed your business for this year - I could have got you the same deal for less."
Information Security - It's a people problem.
A retailer decides to develop a new smartphone app to make the browsing and buying experience faster and smarter for its millions of mobile owning customers. It outsources the development to a specialist app developer.
Months after the app is developed and launched customer data (names, passwords) is stolen and the retailer's reputation is trashed.
The investigation finds that the app developer had in turn outsourced the development to a number of contractors, one of whom was rogue. Inadequate vetting had taken place and this developer had managed to install malicious code into the application back end.
Information Security - It's a people problem.
The security guard gets a phone call from the IT Manager on a Saturday morning;
"Jim, it's James. I forgot to tell you guys that I've asked the repair company to drop in and collect some servers from the computer room. They should be with you at 2.00 pm. Just let them into the room and they'll take the kit away."
At 2.00 pm, as promised, the computer repair team arrives, shows what appears to be the correct paperwork and security passes and is let into the computer room. Once in, they remove the equipment and leave. It's only early on the following Monday morning that the company realises its equipment (and data) has been stolen.
Information Security - It's a people problem.
A company director writes a highly amusing and disparaging email about an employee which he shares with a select group of his colleagues. So humorous is it, that one of them can't resist forwarding it to some of her friends outside the firm.
From there it ends up being posted onto Facebook with the result that it goes 'viral.' Now the company is being vilified for its apparently homophobic culture.
Information Security - It Really is a People Problem
These real, but disguised examples, are but five scenarios to give you a flavour of the types of information challenges you face. To keep your confidential information, and that of your customers and employees safe and secure, you need a strategy and a system.
At the very least you need to be explicit about your organisation's risk appetite. To be clear about just how much risk you accept as part of your strategy and daily operations.
Accepting no Risk is Unworkable, Accepting all Risks is also Unworkable. Both Extremes Lead Rapidly to Bankruptcy.
Getting the right balance is a management decision...what decisions have you made recently?
Find out More
You can read more in my recent posts; Information Insecurity; If it Isn't ISO 27001, Can You Trust It? and Information Insecurity; Risking Revenue, Risking Reputation
New Frontiers is here to help you avoid the pain and anguish caused when your critical business information is stolen or leaked. It may never have happened to you or your business and that is the way you want to keep it! Dealing with the after effects can be traumatic, time consuming and costly.
We are all aware of how risky the world is and how vulnerable our organisational performance and reputation is when information confidentiality, availability and integrity is adversely affected.
That’s why we all need to take a risk based approach to our Information Security Management Systems. And that’s where we can help you by;
- Developing your risk management strategy
- Undertaking risk assessments
- Implementing Information Security Management Systems to meet the ISO 27001:2013 standard from a Certified ISMS Lead Implementer CIS LI