Information is without doubt the most critical asset to any business. You may lose people, but you can hire more; you may lose infrastructure, but you can buy or lease more; you may lose customers, but you can do a strategy to get more; but you may lose information, and you might be out of the game.
Protecting information from loss, misuse and theft has been a concern for most businesses since the first years of the information age. It is well known that companies that had not properly protected their information and eventually have suffered attacks, have faced high costs from either loss of data, interruption of operations, or even loss of reputation.
Information security is the set of practices or controls that seek to maintain the confidentiality, the integrity and the availability of information. The main focus of this discipline is, clearly, protecting information; preventively protecting information assets from being breached, in any form.
Frameworks like the ISO/IEC 27001 standard provide a comprehensive view and understanding of what controls an organization should have in place to protect their information assets, covering, among other, organizational controls (policies, audits), human-resources controls (yes, even before hiring a new resource there should be some sort of control implemented, like screening), physical controls (doors, restricted access), legal controls (contracts, NDAs) and various IT-related controls (some technical, some logical).
Since most of the information held by organizations is stored in computer systems, many of the controls that need to be implemented are quite technical, so there’s a growing need for advanced techniques to enable technical security controls and maintain the integrity of the hardware and software through which data is handled and managed.
There are many approaches to cybersecurity (ISO/IEC 27032, NIST, CSX, etc.), and techniques are quickly advancing as related technology like Big Data, Internet of Things (IoT), Artificial Intelligence (AI) and others keep evolving as well.
Nevertheless, no matter how strong the security controls of an organization might be, the bad guys also keep doing their homework. If an organization is a subject of interest, it will be hit at some point. A few years ago there was this famous saying of “It’s not a matter of ‘if’, but ‘when’”, referring to an imminent attack that all big corporations would suffer in an intent of breaching their information. As negative as this might have sounded, experience has shown this was true.
So no matter how strong an IT organization is, it’s going to be hit, sooner or later. So how are you going to recover from that attack? This is where the concept of resilience comes into the picture. Resilience is the capacity of an organization to quickly recover from a cyberattack or security breach, and maintain the damage caused at a minimum. Resilience in IT is achieved through many other practices like Incident, Problem and Continuity Management, but applying a proactive approach rather than a reactive one.
As good as it might sound, Resilience is definitely not enough in today’s demanding environment. It’s definitely better having the capabilities to recover fast from a security incident than just being prepared on the preventive side, but the complex IT organizations protecting the stakes of businesses in the digital age need more than that. They need to become more robust each time a new vulnerability or potential breach is discovered, and moreover if it gets hit.
Antifragility takes the organizational capabilities to a whole new level through proactively discovering vulnerabilities, even if by exploiting them intentionally, and making the infrastructure and systems stronger by applying the necessary controls. The already famous ‘Simian Army’ concept developed by Netflix might be the best example of antifragility coming to life.
Information Security Awareness
No matter what controls the organization has in place, or how resilient or anti-fragile it is, there’s always the risk of untrained or unaware users. Statistics show that at least 60% of cyberattacks are made possible through internal users who not necessarily have bad intentions; but a user who is unaware of the risk of, for example, clicking on a link he gets on an e-mail from a non-trusted source, puts the organization at a much higher risk than the intentional attempts of attacks the bad guys could be making directly to the organization’s systems or networks.
The key, then, besides undertaking the cybersecurity, resilience and antifragility efforts, becomes having the whole user base (and these are business users, beyond IT) trained in the most basic and simplest principles and concepts of information security, their role in protecting the business’ information and the risk of doing these tiny, apparently insignificant and harmless actions that could jeopardize the integrity of the business itself.
Statistics also support the success of such programs. Benchmarks show that the average percentage of phishing-prone users in an organization is 37.9%, but through implementing a user awareness program this number is reduced to 14.1% within 90 days and down to 4.7% after one year of continuous security awareness training.
Does your organization already have an information security awareness program in place? Would you like to learn more about which options exist? If so, please connect with us, and we’ll be happy to further discuss.