The need for information security has never been greater… but now the big question is how to implement data security that really works.
There's a lot of research showing that in many cases organizations and workplaces are not doing enough to protect information.
For example, Ponemon showed that over half (55%) of small and medium-sized businesses and 89% of healthcare organizations experienced a data breach over the past two years. In the U.K.,the Cyber Security Breaches Survey showed that two-thirds of the largest businesses in the U.K. suffered a cyber attack or data breach in the last year.
Companies have to look at the development of an information security policy as just the beginning. For an information security program to be effective, there also have to be processes in place that target, champion, and support the different protective strategies.
Take a look at how implementing information security in an organization is multi-faceted and on-going:
- Culture: The first step towards creating a successful security awareness program, according to a tripwire.com blog post, is to recognize that there isn’t a timeline with completion data but rather a fluid development of organizational culture. A culture of security has to start at the top, and permeate throughout the entire organization. Also, “when it comes to protecting information security, complacency is among every organization’s key risks,” concluded the 2016 State of the Industry Report by Shred-it. Keeping information security front and centre in a workplace is important for C-Suites and SBSs alike.
- Privacy and Legislation: As new threats emerge, new legislation and guidelines are created to protect privacy and personal information. An organization must stay up-to-date about changes in privacy legislation, and it must revise its own policies and procedures accordingly.
- Employee Mindset: Any security architecture will be undermined if there is no process in place so all employees understand their role and responsibilities. On-going education is key. The goal is to shift the mindset of employees so that security awareness becomes an integral job function.
- Automate Security: It’s important to ensure that it is as easy as possible for employees to follow instructions for securing data – automation can help. First, protect all hard drives with up-to-date IT safeguards. But where possible, automate decision-making around security. For example, create a program that helps decide if an email needs encryption – so that all the user has to do is press send.
- Stay Current: Security policies have to reflect current trends in the workplace. For example, bring-your-own-everything (BYOx) is a trend that allows employees to bring their own devices to work. Put a process in place to identify all the risks such as mismanagement of devices and unreliable business applications – and address them.
- Business Processes: Look at how information travels throughout the organization, and put business processes in place that are also security controls. In this way, information security is embedded in the workplace. One good example is to partner with a recognized document destruction company that provides a secure chain of custody – with locked containers and secure on- or off-site destruction of information.
Identify the areas in your workplace where fraud risk is too high – so you can do something about it.