How to avoid data breaches with the right infosec strategy
By Rebecca Harper, Head of Cybersecurity Analysis at ISMS.online
Already a big target for cyberattacks in Europe, the cybersecurity agency has warned that the number of “hackers for hire” in the UK will grow over the next five years, causing increasingly unpredictable threats.
Deputy Prime Minister Oliver Dowden acknowledged the threats posed by unpredictable actors, alerting UK businesses to credible incoming attacks aimed at critical national infrastructure and supply chains. A particularly worrying aspect is that these actors are more ideologically motivated than financially – another reason for UK businesses to manage information security more proactively.
In the last year alone, the news has been dominated by a multitude of high-profile data breaches, from BA and the BBC to Boots and Capita. Just over a month ago, Facebook’s owner Meta was issued with a £1bn fine for mishandling people’s data.
The proliferation of cyberattacks and data breaches puts the responsibility on businesses to implement an adequate information security (infosec) strategy. This is not only to protect the organization’s information assets but also to build trust, win business, and flourish in the long term.
Rather than viewing it as a barrier to business success, businesses should see infosec policies as a safeguard against threat actors.
The State of Information Security
In the last year, well-known global businesses have received hefty fines following data breaches or violations of data protection rules. At the back end of 2022, construction firm Interserve was handed a £4.4 million penalty by the Information Commissioner’s Office (ICO) after hackers stole the personal data of 113,000 current and former employers. More recently, TikTok was fined £12.7m for illegally processing children’s data.
Financial data is the most lucrative among hackers, with a report from July last year finding that financial data breaches accounted for 153.3 million leaked records from January 2018 to June 2022.
Many businesses respond to cyber incidents in a knee-jerk fashion by increasing information security budgets and team sizes soon after. A recent report found that on average security spending increases 17% after just one cyber attack and went up to a huge 71% at the point an organization has had to deal with three cyber attacks. Unfortunately, it’s often too late, with many businesses incurring hefty penalties in the aftermath of an attack. This financial loss excludes the near incalculable cost of reputational damage and loss of customer loyalty.
Allocating a sufficient budget to cyber threats can be complex and should involve the entire executive team. Ultimately, cybersecurity is as much a business strategy as a technical issue, and the decision on how much budget to allocate to infosec must be taken with the company’s overall financial and reputational health in mind.
Building a proactive infosec strategy
To counter the growing threat and potential damage of cyberattacks, businesses must build and maintain a solid information security strategy to secure their assets. Creating a robust, resilient infosec policy requires coordination across all significant business pillars and should involve everyone. The following five elements will help with developing a dynamic strategy:
Decision-makers involved in the policy development process should determine what they want the policy to accomplish at every stage. The risk assessments, during which they identified vulnerabilities and areas of concern, should give them a good idea of which areas to target. Each policy element should indicate this to serve a specific purpose in the business network.
Again, decision-makers will use information discovered during the assessment to determine the policy’s scope, indicating responsible individuals and to whom the policy should apply. Should there be any gaps, this information will close them up.
Here it is essential to instill the concept that information security belongs to everyone. Company culture and best practices will play a significant role in communicating this to staff and shaping the policy’s purpose. Specific risks and regulations unique to the organization and adherence to them will inform the policy’s purpose.
Business leaders must ensure the infosec policy is enforceable. However, it’s crucial that everyone, from the CEO to the newest employees, comply with the policy. Implementation methods may range from videos to training sessions, but they will only succeed if the policy is brief and concise. Don’t overburden them with technical jargon or legal terms because they can’t be enforced if no one understands them.
A framework of policies and controls housed in an information security management system (ISMS) will allow cybersecurity teams to manage information security risks systematically. Using a single platform, they can access information security policies, maintain them, and build on them. This makes updating the policies a breeze while security specialists can close out concerns much quicker.