How to Avoid Information Security Breaches in your Organisation?

Maintaining information security is of vital importance for any organisation, particularly those that handle personal or sensitive data. Data breaches can have a huge, negative impact on the reputation of an organisation, and, if an organisation is found to be in breach of data protection legislation such as the General Data Protection Regulation (GDPR), it may also be subject to significant financial penalties. How, then, do organisations go about maintaining information security, and avoid the financial and reputational damage associated with failing to do so?  

First and foremost, it is important to remember that organisations as a whole, rather than particular individuals within them, are responsible for avoiding data and security breaches. Every employee within your organisation has some degree of responsibility to both themselves and to the organisation for keeping the information they handle secure. There are a few key points that all of your colleagues should have at least some awareness of in order to do so.  

• What information do we need to keep secure?  
• From who or what are we protecting our information?  
• How do we protect it?  

If you’re unclear about the answers to any of these questions, you should get in touch with your line manager or, if you are the line manager and are unsure, seek out your information security manager, or any other individual within your organisation who is responsible for maintaining information security. 

What information do we need to keep secure?  

This is perhaps the most important question that we will discuss in this blog. Ultimately, you cannot maintain information security without a thorough understanding of what exactly it is that you are protecting. 

Throughout any organisation, employees will deal with a range of information types, usually with different levels of sensitivity or risk associated and with different access control requirements. The specifics of this will, naturally, completely vary depending on your organisation and the sector and industry it operates in. Regardless, it is vital that all staff members understand what information or data your organisation has and how it should be handled. This is referred to by information security professional as an asset list and ‘information classification and handling’. ‍ 

From who or what are we protecting our information?  

Having established what information you’re protecting, you can identify the ways in which its security is threatened, known as the threat vectors. You can distinguish the threat vectors as internal or external, and divide them into the categories of human and technical. These categories are quite broad, so will have a number of different subcategories within them, often depending on the geographical, political/sociopolitical and economic situation the organisation operates within.  

How are we going to protect it? 

Unfortunately, there is no simple answer to this question and, like with every other question we have addressed in this blog, it will completely depend on the nature of your organisation. However, there are some best practices that every organisation can observe, which you can tailor to your organisation’s unique needs and challenges.  

Every organisation should have some structure set out to achieve a holistic, transparent approach to information security management; if your organisation doesn’t, we highly recommend you introduce this. The structure will define the means and measures you have implemented (or will implement) to protect your organisation’s information assets, and the roles and responsibilities individuals will take on in doing so.  

To support this, you could consider implementing an established information security framework. Some widely used frameworks include the International Organisation for Standardisation (ISO), Control Objectives for Information and Related Technology (COBIT) and the National Institute for Standards and Technology (NIST). By conducting an information security risk assessment, you will be able to identify the areas of your organisation which require the most investment and effort. If you need help doing so, URM is adept at conducting information security risk assessments, as well as supporting every stage of the ISO 27001 (the International Standard for Managing Information Security) lifecycle.  

However, the most important thing to take away from this blog is that everyone within your organisation, regardless of role or level of responsibility, should understand the importance of information security and have at least a basic awareness of how it is maintained. As well as this, it is vital that your organisation fosters a culture of openness, and staff members should always feel able to report a mistake or near miss.