Information drives businesses’ performance as much as physical assets, and not just in sectors where intellectual property plays a key role in product development. Patents are ‘information’, but so are individuals’ bright business ideas, customer data, marketing plans and salary figures. While these may not appear on a balance sheet, they do affect the things that do. Meanwhile, the common view across government, the media and industry is that the threats to an organisation’s information are many, complex and getting worse.
While vital to business effectiveness, information security is often misunderstood or poorly implemented. This may be due to a lack of clarity about which ‘information’ needs to be protected, or that developing an information security policy is considered a corporate obligation rather than critical to protecting commercial and competitive position.
By taking a risk-based approach to information security and regarding security as a strategic imperative, your organisation can thrive while your competitors struggle.
Key steps to stronger information security
Change your mindset: protect your information for competitive as well as legal reasons
Laws cover personal data, government-classified information and market-sensitive information in the regulated sectors. But there is also the need to safeguard competitive advantage, which cannot easily be regained if lost. If your plans or proprietary techniques leak to a competitor or more widely, you lose that chance to increase shareholder value. Consider information security as a business rather than technical challenge, and as something that will enable your organisation to deliver its promise to your customers, rather than restrict it.
Focus on the risks that would cause your business the most pain
The ever-increasing pace of communication means that information can be transferred, stolen, damaged or lost instantly. You might assume that information security is impossible because there are just too many threats out there, from the malicious actions of hackers to the inadvertent negligence of employees. This is wrong: if you identify clearly the information ‘crown jewels’ that are critical to your business, and understand who/what poses a threat to them, you can predict their tactics and assess how good your defences are, improving them as required. You should carefully prioritise the risks, disregard the lesser ones and focus your attention on those that would cause your organisation real pain.
Ensure you consider the role of your organisation’s people in information security
Information security should not be seen as something that belongs solely to the IT department; while clearly enabling your business, in security terms, more sophisticated IT can provide the means for people to lose information more quickly than before, and in larger quantities. Every information security breach has a human element to it, usually accidental or unthinking. Your employees and colleagues are the best defence against information loss if properly briefed, and the biggest liability if not. So there is a clear need for senior executives to see information security as a strategic issue running through the whole organisation, and to turn people into well-briefed protectors of the organisation’s information assets. The key factor is the tone set by the most senior executives, who should also be alert to any ‘silo mentality’ which might hamper good information security practice.
Success lies in reducing information security risks to an organisation in a practical, integrated way that frees everyone to focus on core business activity. In addition to our work helping industry-leading organisations improve their information security management and resilience, PA Consulting Group co-wrote the UK Government’s official guidance on the Holistic Management of Employee Risk (HoMER). We have the breadth of expertise to provide an integrated approach to information security and cyber security, to help safeguard your critical information assets effectively and productively.