Protect and survive

30 Jun 11
Information security is everyone’s responsibility. In the era of smartphones and apps, the risks have multiplied and now we all have to watch out
By John Thornton | 1 June 2011

Information security is everyone’s responsibility. In the era of smartphones and apps, the risks have multiplied and now we all have to watch outITprotectNEILSTEVENS

Who is responsible for information security in your organisation? At this point, you are probably tempted to stop reading – thinking this is somebody else’s problem and that it requires a technical understanding of computing. But bear with me.

Information security is not new; organisations have always invested in lockable filing cabinets and security doors to physically protect their data. Information is the life-blood of modern organisations and so safeguarding it has become even more important.

However, it has also become more tricky with modern ways of working and increasing reliance on IT.
In recent years, there have been numerous high-profile cases of data losses by public sector bodies.

One infamous example was when two Revenue & Customs CDs, containing personal details of 25 million child benefit claimants, went missing in the post. These cases not only highlighted poor information management practices but also the risks to organisations in terms of lost trust and poor publicity. There is, for example, an inherent conflict between giving service users, employees and partners easy access to data and protecting corporate and personal information.

As new ways of providing services and conducting business emerge, so do new security risks. Remote and mobile working has expanded significantly.  It is estimated that around 25% of mobile phone users have a smartphone and increasingly employees are using the same device to access both personal information and corporate systems. They can download a wide range of mobile applications (apps) – from games to maps, films, TV shows and much more – that load data directly to their smartphones and other mobile devices.

In late February, a key source of apps – the Android Market – was targeted by criminals who downloaded legitimate apps, infected them with identity-stealing software and then re-uploaded them under different names. Within a few days, before the fraud was spotted, more than 200,000 apps had been downloaded.

This gave the hackers the ability to download data remotely from infected handsets, enabling them to impersonate users, fraudulently access data and run up expenses that could be charged to the smartphones’ owners.

Information security is about risk management and it needs to be handled corporately, rather than as a series of one-off technical fixes focused on particular systems and processes.  It should be a matter of concern for boards, Cabinets, chief executives and directors of finance.

It cannot be viewed as simply an IT problem and abrogated to the IT team. In addition to having a named individual with overall corporate responsibility, it should be part of the responsibilities of all employees. It is primarily about asking – what could go wrong, how likely is it and what are the consequences? Some of the solutions might be technical, but many will be procedural – concerning both physical and process security.

Experience shows that the weakest link in information security is usually human beings. People give away passwords and lose memory sticks. Many of the attacks against information systems are non-technical and are usually perpetrated by legitimate users abusing trust and exploiting lax procedures.

Is there someone in your organisation who might be threatened with redundancy or heavily in debt, who might be thinking of sabotaging your systems, committing fraud or stealing sensitive data? Cyber crime is often just traditional crime using a computer.

Are you doing your bit to reduce and manage the risks?

John Thornton is an independent adviser and writer on business transformation, financial management and innovation

CIPFA logo

Did you enjoy this article?