Why Information Security Matters: The Radar System of Your Organisation
In this information age, businesses have more information flying at them than they know what to do with. It’s not uncommon for this saturation to cause companies to lose sight of the importance of each piece of data they process, store and archive.
Worst still is when the teams, including senior management, within organisations don’t comprehend the pivotal nature, and in some cases, criticality, of the data their trade relies on.
In June 2014, Code Spaces, a code hosting and software collaboration platform, had to permanently close its doors after suffering a devastating cyberattack. The malicious attacker accessed the company’s control panel, where all server configurations can be controlled. After gaining access, they maliciously destroyed critical data, including storage and backups, leaving Code Spaces with no choice but to cease operations and dissolve the company.
Some of the other critical types of information bound to cause significant concern if breached include:
Customer personal data such as names, addresses, phone numbers, email addresses, and dates of birth. If accessed by criminals, this data could enable identity theft.
Financial data such as credit and debit card numbers or bank account details. Breaches of this information put customers at risk of financial losses and fraud.
Employee data such as payroll information, social security or national insurance numbers, health records and background check details. Breaches of this kind would violate employee privacy and trust.
Proprietary business data such as trade secrets, intellectual property, customer lists, contracts, pricing information and operational processes. These breaches undermine competitive advantages and can severely impact operations.
Special categories of sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and criminal records. Exposure to this data can lead to discrimination and social harm.
Following the Code Space example, it's also true that not all business models are architected to be sustained by the existence and availability of the underlying data. For instance, if you run a speciality artisanal bakery, the trade’s success will be fundamentally sustained by the craftsmanship of its bakers rather than the underlying data for basic operations. However, all companies will process and store at least some relevant data that contributes to business success.
Understanding Risk
Due to the pervasive and modern use of complex systems, networks and applications, there is a risk that unauthorised eyes can view sensitive data, let alone exfiltrate or manipulate it. Unfortunately, this risk isn’t eliminated by merely outsourcing IT or even Cybersecurity services to a Managed Service Provider (MSP), a service which is no stranger to breaches of its own. The enticement to a cybercriminal is that a single MSP is often a concentrated repository of many companies' operations.
IT and Cybersecurity outsourcing certainly has its merits, enabling businesses to leverage specialised expertise and advanced technologies in a flexible and cost-efficient manner. However, in many cases, this also underscores the prevailing attitude towards cybersecurity among senior management as one of contempt, where cybersecurity is generally believed to be a restrictive measure to simply remain compliant and appease regulators.
Yet, when assessed correctly, it is clear that cybersecurity was not borne out of a desire to introduce roadblocks for businesses and frustrate plans for growth. On the contrary, cybersecurity—better translated as information security because it’s information we primarily endeavour to protect in a digital world—exists to facilitate the objectives of business leaders.
Suppose an executive or owner wishes to expand the business into a new industry or geography. In that case, cybersecurity acts as the vehicle to safely realise that vision without the company unduly suffering breaches, regulatory fines, and reputational damage along the way.
Neither are large corporations the only ones that suffer security-turned-business-related concerns; smaller and medium-sized businesses are also highly targeted, as they are often seen as easy pickings due to their lack of robust security controls and in-house expertise. A few years ago, a small business reported on how an attacker gained unauthorised access to their email system, after which the attacker subsequently processed fraudulent wire transfers out of the business and into a money mule account.
Despite the risks, many business personnel opt to play Russian roulette with their chances and leave cybersecurity for a later date or worse. Experts in information security strongly advise against such propositions, as the rate of data breaches and those affected increases significantly every year.
Additionally, cybercriminals' skill sophistication is becoming increasingly accessible through knowledge dissemination, enabling them to take advantage of companies with such laissez-faire attitudes.
The following serves as a profound but damning illustration:
According to the Cyber Security Breaches Survey 2023, 32% of all businesses identified breaches or attacks in the last 12 months, with the rate increasing for larger firms - 59% for medium companies and 69% for large corporations.
Among those that experienced breaches in the 2024 survey, over half (53%) of businesses said it happens at least once a month, and nearly a third (32%) experience them at least once a week. - https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024/cyber-security-breaches-survey-2024
For small businesses specifically, strongdm found they faced over 700,000 cyberattacks in 2020 alone, totalling $2.8 billion in damages.
Identity Theft Resource Center (ITRC) stated that 73% of U.S. small business owners reported a cyberattack the previous year.
The Approach to Remediation
The reality appears grim if nothing is done to regulate an organisation’s security posture, but sensible security measures can significantly reduce the prospect and severity of a data breach.
The only three pillars of any organisation are its people, processes, and technology. Everything fits into one of these pillars, which assists business leaders in focusing their efforts on reducing the risk posed to their assets to an acceptable level.
Generally speaking, there will still be common cyber hygiene factors concerning these pillars that a security-inclined small or medium-sized business will implement: Here are some examples:
People—Cybersecurity awareness training for employees delivered by in-house staff or learning providers is a popular choice for good reason. The prime focus areas are identifying threats such as phishing or tailgating, using strong passwords, and securely handling sensitive data.
Processes—Limiting access to sensitive data on a need-to-know basis and enforcing strict access controls is a procedural aspect of an organisation to mitigate accidental or deliberate misuse of sensitive data.
Technology—Implementing strong cybersecurity measures like firewalls, anti-malware programs, and encryption are examples of technical controls that, once configured correctly, remove the element of human error.
Ultimately, the above examples and related measures are most effective when business leaders understand the business's security posture through engagements such as audits, risk and vulnerability assessments, penetration testing, and similar activities to uncover the problem areas exposed to a bad actor with malicious intent.
These fundamental engagements bring everything else into focus, which is necessary to make informed decisions about security for general and specific business practices.