A head of IT’s guide to information security

What is information security, and why is it important?

Information security is the practice of protecting data from unauthorised access, use, disclosure, disruption, modification, or destruction. It includes a variety of technologies and processes that work together to safeguard sensitive data.

There are three main components of information security:

1. Confidentiality - Ensures that information is only accessible to authorised individuals.
2. Integrity - Ensures that information is accurate, complete, and reliable.
3. Availability - Ensures that information is accessible to authorised individuals when needed.

These three components are often called the CIA triad, forming the foundation of any effective information security program.

Today, developing a sound information security program is important now more than ever as more companies are now connected to the Internet of Things (IoT), and cybercriminals are constantly seeking new ways to exploit vulnerabilities in these interconnected networks. This is also evident with the shift to working from home after the Covid-19 pandemic, where employees use unprotected personal devices that increase the risk of cyber-attacks.

Apart from this, companies need to think about compliance with regulations like the GDPR (General Data Protection Regulation) and the NIS2 Directive, which set out rules to protect the personal data of individuals across several countries. Failure to comply with these regulations can result in significant fines and legal liabilities.

These regulations are constantly being updated to keep up with evolving threats. Attackers continue to find ways to modify the common threats we know of, which is why companies and upper-level management need to stay up-to-date.

What are the most common information security threats, and how are they evolving?

Companies face several common information security threats, and they continue to evolve in complexity. Here are some of the most common information security threats:

1. Phishing attacks

Phishing is a type of social engineering attack in which attackers try to trick users into giving away their sensitive information, such as passwords or credit card details.

Phishing attacks are becoming more sophisticated and harder to detect, and they often leverage current events or personal information to appear more convincing. For example, attackers may use information from social media or other online sources to craft convincing phishing emails.

2. Malware

Malicious software (malware) are programs intentionally designed to cause disruptions in computer networks, leak private information or deprive access to information. Malware can take many forms, like viruses, trojans, ransomware, and spyware.

Cybercriminals are using techniques such as polymorphism, which allows the malware to change its code and evade detection by antivirus software. Additionally, malware is becoming more targeted and tailored to specific companies or industries.

3. Advanced persistent threats (APTs)

APTs are long-term targeted attacks by cybercriminals who seek to gain access to a company’s sensitive data and systems. State-sponsored attackers or organised crime groups often carry out APTs. APT attackers increasingly use tactics such as "living off the land," which involves using legitimate tools and processes to carry out attacks and evade detection.

Examples of dual-use tools which have been used for living off the land attacks are Windows Sysinternals, NETSH, or SC tools, or forensic tools like the password extracting tool Mimikatz.

4. Insider threats

These are perceived threats to a company that comes from people within the company like employees, former employees, contractors or business associates. They can take the form of intentional data theft, sabotage, or accidental disclosure of sensitive information.

Malicious insiders may use techniques like steganography, which involves hiding their activities and making it harder for security teams to identify and stop their actions. Additionally, accidental insider threats are becoming more common as employees work remotely and use their personal devices for work.

5. Internet of Things (IoT) attacks

IoT is a collective term for devices with software that connect and exchange data over the internet. The increased use of IoT devices has created new vulnerabilities that cybercriminals can exploit. Many of the devices are highly secure and connected to robust information security systems. But the main reason these attacks still succeed is due to human error.

Online threats are always present and constantly evolving, so to stay safe and prevent any damage, the Head of IT must consider all the available options to protect the company.

What can you do to protect your company from these threats?

The silver lining for companies and management is that there are just as many solutions to information security as there are threats. You must identify the solutions your company needs and implement them swiftly. Here are a few solutions:

• Implement a firm security policy

The security policy should outline the company's security measures, standards, and protocols. It should also include incident response and recovery guidelines, roles and responsibilities, and acceptable technology use. To ensure that the policy remains effective and relevant, it should be reviewed and updated regularly.

• Provide regular training and awareness programs

Employees should receive regular training on topics like cybersecurity best practices and phishing awareness to educate them on the latest security threats and how to identify and prevent them. Employees should also be encouraged to report any suspicious activities or incidents.

• Implement access controls

To limit access to sensitive data and systems, access controls such as two-factor authentication, password policies, and least privilege access should be implemented. This helps prevent unauthorised access and reduce the risk of insider threats. Access controls should be regularly reviewed and updated as necessary.

• Use the latest security technologies

To detect and prevent threats, up-to-date versions of security technologies like antivirus, firewalls, intrusion detection and prevention systems, and endpoint security solutions should be used. These technologies should be regularly updated and configured appropriately to provide the best possible protection.

• Conduct regular security assessments

Security assessments like vulnerability scanning and penetration testing should be performed regularly to identify security gaps and areas for improvement. The assessments' results should be analysed, and appropriate actions should be taken to address any identified flaws.

• Keep software and systems up-to-date

All software and systems should be updated with the latest security updates to prevent exploitation of known vulnerabilities. This not only includes operating systems and applications, but also firmware and hardware.

• Develop an incident response plan

An incident response plan should outline the steps to be taken in the event of a security breach or incident. The plan should include a chain of command, communication protocols, and procedures for isolating and containing the incident. It should also have a post-incident review to identify any areas for improvement.

Implementing all these measures can help companies take a big step into information security. However, it is impossible to create a security program that is always 100% effective. For this reason, the Head of IT along with company management should always be prepared to deal with breaches and security incidents.

How do you deal with an information security breach?

Security breaches can happen anytime to anyone, and dealing with them can be a complex and challenging task for the Head of IT. However, taking the proper steps and having a good plan can help to effectively deal with a breach and stop further damage.

Step 1: Identify the scope of the breach - As soon as the breach is detected, it is important to determine the extent of the damage. This includes identifying what data or systems have been compromised and assessing the potential impact of the breach.

Step 2: Contain the breach - Once the scope of the breach is understood, the Head of IT should take steps to contain the breach and prevent further damage. This may include shutting down affected systems, blocking network traffic, or isolating infected devices.

Step 3: Notify stakeholders - The Head of IT should communicate the breach to relevant stakeholders, such as executive management, legal counsel, and affected customers or employees. It is essential to be transparent about the situation and provide timely updates as new information becomes available.

Step 4: Conduct a forensic investigation - A thorough forensic investigation can help to determine the cause of the breach and identify any vulnerabilities in the company’s security infrastructure. This information can be used to prevent future breaches and improve overall security.

In many instances, a forensic investigation is also required as per contractual obligations (i.e. a PFI investigation as per PCI DSS). In avoiding this step, you could also potentially land you with a hefty fine for breaking this contract.

Step 5: Implement remediation measures - After the investigation is complete, the Head of IT should work with other departments and vendors to implement remediation measures. This may include installing software patches, updating security policies, or training employees on security best practices.

Step 6: Monitor for further incidents - Finally, it is important to monitor the company’s systems and data for additional signs of a breach. This can help to detect and respond to new threats before they cause significant damage.

Security breaches can be time-consuming and costly for companies that fall victim. While having an information security program in place can help to prevent them, you should also consider information security best practices to fully understand how you can protect your company better.

What are some successful information security practices?

As a Head of IT, there are several key practices you can implement to ensure successful information security for your company. These include:

1. Focus on key controls - Before focusing on new technical initiatives, a good first step would be implementing key controls that have already been mapped and could be highly successful in preventing most cyber-attacks. Implementing and demonstrating these controls will give the company confidence that fundamental protective measures are being put in place.
2. Create a sense of reality around the threats - Communicate the real threats your company's information assets face and how they could translate into real consequences across the company. Present risk levels in a language that employees and stakeholders can understand and build a meaningful dialogue with them that should drive the right decisions.
3. Align short-term plans with long-term plans - Link short-term information security projects to a long-term business strategy. By doing this, companies can ensure that their security efforts are consistent and well-coordinated, which will minimise gaps in security coverage and enable them to respond more effectively to emerging threats.
4. Assign responsibilities and accountabilities - Ensure that the appropriate controls are in place across the company, backed by a sound information security governance framework. Distribute accountabilities and responsibilities down to all relevant stakeholders across all departments.
5. Operate Information security as an ongoing structured practice - Instead of treating information security as a set of short-term tasks, view it as a planned process consistent with a long-term information security plan. This plan should aim to reach an ultimate information security goal and make long-lasting changes throughout the entire company.
6. Focus on people and processes, not just technology - Before looking for technical solutions to protect the company, focus on fixing any issues in how people and processes work. Technology should help support the people and processes, not be the only solution to the problem.

How can DataGuard help you secure your information?

DataGuard’s InfoSec-as-a-Service provides a host of services for your information security needs. Whether you are looking for industry-specific advice, support to set up your information security management system (ISMS), or ISO 27001 certification, we help you get things done right.

With our InfoSec-as-a-Service solution, you can:

1. Win more business deals - We help you build an auditable ISMS that can demonstrate up-to-date security practices and optimal privacy for company and customer data.
2. Gain a competitive advantage - With ISO 27001, you can stay compliant with industry and national regulations and gain a competitive edge over companies that don’t have an ISO 27001-compliant ISMS.
3. Digitise your information security - Our web-based information security platform hosts all your processes in one place. It works together with our in-house experts to support your company through the implementation of your ISMS and beyond.

Information security continues to grow in importance as the online landscape develops and expands. Keeping information safe from threats is a collective effort that must be led by a company’s Head of IT. Therefore, you should be proactive and up-to-date with the latest security developments and trends, and ensure that best practices are being followed across the company.

Doing so will help to foster a good information security culture, gain competitive advantages and secure better business opportunities in the future. 

Do you need support or expert advice? We are here to help. Feel free to contact us and book a first meeting with our experts.