Information is the lifeblood of all businesses, but many business owners and high level managers often overlook the security of their business information to focus on what they consider more important; “the generation of revenue.” Many even know the risk well in advance but take on the mentality, “It will never happen to us.” Then the inevitable happens.

Experience has proven that the disregard for the protection of business information is disastrous. The smallest vulnerability in a business’s Information Security System (ISS) can and does cause businesses thousands, even millions of dollars in financial loss everyday. Experts have found that in the majority of the cases involving “loss” from the theft of information that the business owner(s) or managers were aware that potential breaches existed and did nothing to correct the issue. Experts also point out that in 99% of the cases that the cost to fix the breach would have been thousands to millions of dollars cheaper then the loss the business sustained from the breach itself.

According to “Trends in Proprietary Loss” (ASIS International, 2007) these are the top 5 reasons businesses of all sizes should have an active and progressive Information Security System (ISS) and Information Security Management System (ISMS) in place.

• Loss of reputation/image/goodwill – Taking a hit in the pocket could be bad but not as half as bad as taking a hit to your reputation. Many business can rebound from loss of revenue but repairing your business reputation can cost astronomical time, effort and money. The implications are overwhelming in most cases.
• Loss of competitive advantage in one product/service – When you have been working feverishly to stay ahead of the game but your competitor beats you to the finish line every time, “There’s a hole in your boat.” The leaking of trade secrets, product delivery timelines and other business processes can completely derail a business and destroy its competitive advantage.” In 2006 there was a well known case of information theft concerning an employee from a major beverage. That employee stole trade information and conspired to sell it to another beverage company for 1.5 million dollars.The employee was arrested after the competitor turned her in.
• Reduced of projected/anticipated returns or profitability – This can occur when your competitor knows your pricing strategy. If they’re selling the same type of product or service as your business they can, and will easily outprice you.
• Loss of core business technology or process – A quick Google search will give you some insight on how businesses lose billions in the process when technology is leaked or stolen. The case of the drawn out and costly battle of the “Cell Phone Giants” comes to mind. Do a Google search about it. There are some really insightful facts that you may not have known about the case.
• Loss of competitive advantage in multiple products/services

All of the above are sound reasons while your business should have an active information security policy. I am of the opinion that any business that regularly loses money and fails to implement processes to stop it,will soon be out of business. Therefore, I encourage all business managers, executives and owners to take the protection of their information seriously. Make time to review your current information security processes and policy with your security manager. Listen to his/her concerns and recommendations. After all that is what you hired him/her for. Concentrate on making your security a “Necessary good” instead of a “Necessary evil” and dedicate a reasonable but flexible budget to immediately address new or unexpected security threats. It could truly save you a life of headaches, court battles and money in the end.

Below are a few recommendations that I believe will help any business to begin improving their information security process. It will also help to improve overall security in general.

Recommendations

• Ensure that sensitive information is only accessible to a small group of people based on a need to know basis. This information is to be kept in a secure area with progressive and redundant security measures.
• The first level of security can be posted signage that designates the level of authorization required to be in specific areas. These signs should also advise the consequences for ignoring them.
• The second level of security may include CCTV cameras which are manned or unmanned (but have the ability to be reviewed later). Cameras serve as a good method to detect, deter and in some cases respond to nefarious behavior.
• The third level of security mandates designated key cards or key fobs to enter restricted areas. This authorization can also be indicated by color coded ID badges. A security checkpoint guarded by trained security officers is also an option.
• The fourth level of security concerns areas where the most sensitive information is held. This area should include CCTV cameras, locked file cabinets and safes. This should be supported by a well written Information Protection Policy created in partnership with an experienced security professional and it should be strictly adhered to.
• Lastly, a schedule for audit and compliance should be instituted and a designated person appointed the responsibility for its oversight. This recommendation has more to do with Information Security Management, which I will discuss in a later topic.

General Information Security Practices

The preceding concerned security strategies for highly sensitive information however, we must not overlook the need for the security of general business information. Information comes in many forms and businesses must protect them all. Here are a few more tips that I recommend to improve your current Information Security Policy:

• Ensure that all documents that contain personal, personnel and company information are always kept secure. This information should never be left lying around on someone’s desk or in their inbox. Always keep this type of information under lock and key and designate a person to ensure strict accountability.
• Ensure that you have a information security policy in place and share it with your entire staff. This policy should include how to file or discard company information.
• Ensure that your company has a shredder and include shredding regulations (what should be shredded, when and by whom) into your policy.
• Always ensure that someone in your organization stays abreast of current cyber threats. This person is normally the head of the IT department or your security manager. He/she should also ensure that your anti-virus and firewall systems are regularly updated and tested. If your company does not have a dedicated IT department of manager it wouldn’t hurt to consult with an IT Security firm to get a check-up.
• Ensure that your Information Protection policy includes regulations pertaining to thumb drives and portable hard drives. The policy should clearly state what information can be saved or uploaded from and to the devices. Also consult with your IT department to disable the USB ports on your computers and networks if necessary.
• Finally, every business should have a Non-Disclosure Agreement. NDAs set the expectations for your employees as it pertains to the privacy of your business affairs, processes and materials. It also provides the recourse for violating the policy. can be found on the web, but I recommend consulting with your attorney to ensure that your NDA provides you and your business optimum protection.

That about sums it up. I believe that by implementing these strategies that every business can improve the protection of their information and reduce the chances of suffering financial loss. In many cases you may even increase your profitability, which is why we are all in business anyway. I hope that you found this information valuable. Never underestimate what a solid Information Security Program can do for you.

Thanks for reading and I hope that these quick security tips help to kick start or rekindle your Information Security Program.

When deploying a bespoke information security awareness campaign, the ultimate aim is to build a mindset in which employees come to respect and protect the information they work with. To achieve this, it’s imperative that employees fully understand the value of that information.

Failing to understand the value of information is a major cause of information security breaches. For example, it’s the reason why sensitive information ends up in wastepaper baskets or recycling boxes, which subsequently exposes it to ‘dumpster diving’ – the practice of scouring company bins for useful competitor intelligence.

Failing to understand the value of information has led to some of the high profile ‘laptop left on a train’ incidents, where employees are walking around with sensitive information on their hard drives that hasn’t been encrypted for transport.

Failing to understand the value of information can even cause employees to talk themselves into doing things they’ve already been told is bad practice, such as connecting to an unsecure hotel wi-fi to check email. We’ve all been tempted to do it because of the convenience. What stops us is knowing how valuable the emails coming in and out are – all of which can be intercepted on an unsecure wireless connection.

Communicating value

The value of information is best communicated through a clear information classification scheme. For example, let’s use the traditional labels of ‘public’, ‘internal’ and ‘confidential’ information. One of the most effective methods of communicating value is to consider all of the information types within your organisation and categorise them under these headings. Turn that into a clear communication that allows employees to see exactly which information types should be considered under which classification. There are also some engaging and fun ways to embed this in your employees’ minds.

Make classification mandatory

Making classification of all documents mandatory also helps to embed this consideration of value. A classification must be assigned to every new piece of information that employees generate. Similarly, every piece of information they receive must be immediately checked for its classification. If a piece of information is passed on without a classification, then the practice of sending it back to the originator for classification will eventually cause this handling procedure to become second nature.

Protecting confidential information: Carrot or stick?

For most organisations, accidentally or intentionally disclosing confidential information is a disciplinary offence. As long as you state this as part of a campaign that simultaneously instils the value of information, then it can be quite effective.

However, bear in mind that the most effective internal communications campaigns succeed by aligning the objectives of the employee with the objectives of the organisation. Therefore, a more effective method is to make the employee see the personal value of protecting information at work. There are many messages that can be used, such as building the employee’s perception of their contribution to organisation success, and the need to protect the integrity of this achievement. You can also communicate how devastating an information breach can be – for example, through lost revenue or a fine from the Information Commissioner’s Office. An information breach could even cause enough lost competitive advantage that an organisation is no longer able to operate at the same size it was. This associates the concept of information security with job security.