Information security has become a pressing concern in today's world, with cybercrime making headlines on a daily basis. The vulnerability of IT systems and infrastructure is regularly exposed, highlighting the need for increased protection of critical systems. To ensure secure technology and peaceful coexistence, it is essential to prioritise information security.
In 2023, every company should focus on addressing the following top five priorities of information security: cloud security, AI/ML security, IoT security, cyber insurance and identity and access management (IAM).
1. Cloud Security
The first step in implementing a strategy for information security is the network and cloud security. The use of cloud services is booming – at least since the pandemic, in the context of remote work. The boundaries between companies are blurring, while the attack surface is increasing considerably. This trend is creating new risks that demand targeted security measures.
Best practices for cloud security
When it comes to risk management, it’s important to establish proper processes and procedures that specifically address security risks associated with utilising cloud services. In addition to other important issues outside of information security (QM, PM, system development, etc.), it is also important to consider the entire supply chain for cloud and IoT technologies.
Implement security controls at multiple layers (the network, application and data layers) to ensure potential threats are detected and mitigated before they can cause harm.
Use strong mechanisms such as multi-factor authentication (MFA) to prevent unauthorised access to cloud resources. This will help protect against password attacks and other forms of identity theft.
Encrypt data at rest and in transit to protect both from unauthorised access; rely on strong encryption algorithms such as AES-256. In addition, data processing should be secured through contracts and only take place in a specified country.
Monitoring of cloud activities:
Check cloud activities regularly to detect potential threats early, such as suspicious logins and attempts to access protected data.
- Software updates:
Update your software and applications regularly and apply the latest security patches to prevent vulnerabilities from being exploited.
Put controls in place to ensure that only authorised users can access to cloud resources; consider role-based access controls and separation of duties.
Updated security policies:
Keep security policies up to date to reflect changes in the threat landscape and current business requirements. You should review and update security policies internally and externally with cloud service providers. You should perform regular and ad hoc audits of external providers to ensure that they also meet your internal security requirements. We also recommend introducing an audit procedure for cloud providers (‘cloud policy’) that covers acquisition, use, management, and switching.
2. Artificial intelligence (AI) and machine learning (ML) security
Five key aspects ensure that AI/ML systems function properly and are used responsibly:
Data security – protection against unauthorised access, theft or manipulation.
Model security – protection against hostile attacks that can lead to wrong decisions or incorrect predictions.
Bias prevention – because biased AI/ML models can lead to discriminatory decisions.
Explainability – because AI/ML systems often make decisions that are difficult to understand or explain.
Integration of systems into existing infrastructure – because a lack of integration can lead to compatibility and control issues.
Best practices for secure AI/ML systems
Protect sensitive data used for AI/ML model training and development through encryption and access controls.
Before implementation, validate AI/ML models to ensure they are free of bias and vulnerabilities. This reduces the risk of AI/ML systems making incorrect or biased decisions that can harm individuals or organisations.
Monitoring and audits:
Monitor AI/ML systems regularly for signs of misuse, such as data breaches and malicious activity. Conduct audits and penetration tests to identify and address potential vulnerabilities. Also, monitor the market and current news to stay on top of potential vulnerabilities.
3. Security in the Internet of Things (IoT)
As part of the fourth industrial revolution, IoT devices are being used to monitor production processes, maintain machines and control robots. Here are some real-world examples:
- Smart buildings: IoT sensors can be used to monitor and control energy consumption, temperature, air quality and lighting.
- Logistics: In logistics, IoT devices are used to track the position of goods in the supply chain, monitor transport conditions and automatically manage stocks.
- Retail: Another use for IoT devices is in retail, where they can automate inventory management, analyse customer movements and reduce staff and energy costs.
- Healthcare: IoT devices can be used in healthcare to monitor patient health, automatically dose medications and improve the efficiency of surgeries.
- Finance: In the financial industry, IoT devices are used to automate payments, prevent fraud and increase the efficiency of processes such as lending or asset management.
Typical IoT devices include laptops, smartphones and fitness watches, but they can also be smart refrigerators, fire extinguishers, speakers, etc. These last ones are not always recognised as IT devices requiring protection. As such, they need to be more adequately secured, poorly integrated into their environment, permanently connected to networks and hungry for data.
All of this makes them an easy target for hacker attacks, which, among other detriments, can mean the theft of sensitive data and the impairment of crucial systems. Since, as shown, IoT devices pose a high risk to businesses, the risks must be properly classified and protected against.
Best practices for secure IoT devices
- Device and endpoint security:
Secure IoT devices with strong passwords and encryption, and regularly implement security patches and software updates to prevent unauthorised access.
- Network security:
Implement measures such as firewalls and intrusion detection systems to protect IoT devices and networks from cyberattacks. Monitor network activity regularly for signs of malicious behaviour.
- Data protection:
Protect data collected by IoT devices, for example, using encryption, access controls and data retention policies. Then additional GDPR requirements must be complied with to ensure data protection. These include, for example, appropriate and comprehensive DPAs with corresponding TOMs. In addition to the rules related to information security, another essential measure is a data protection impact assessment (DIA).
Make your staff aware of the risk inherent in IoT devices and train them regularly in their proper use.
It makes sense to offer staff training not only in IoT but for practically all areas where cyber threats are a real and present danger. If you’re struggling with limited resources for training, don’t worry. You can visit the DataGuard Academy for training courses designed to raise employees aware of data protection and information security.
4. Cyber insurance
Cyber insurance provides financial protection against losses caused by cyberattacks. Coverage includes the costs of responding to an incident – for example, you might have to hire experts to investigate and even face fines or legal fees later.
Cyber insurance can help businesses with risk management by offering coverage for potential cybersecurity incidents. Once a policy is in place, the insurance provides businesses with the peace of mind that they will be protected if things go south and that they meet requirements imposed by regulations and standards.
Best practices for choosing cyber insurance
- Insurance coverage:
Check what types of cyber incidents the insurance policy covers and the limit of liability. Make sure you are adequately protected against potential cyber incidents.
Contrast the costs of the insurance policy with the costs you may incur by suffering a cyber security incident, such as legal fees, costs related to data breaches and fines.
Look into the insurance provider’s reputation to ensure they can successfully handle claims and provide professional customer service.
When choosing an insurance provider, prioritise expertise and the provider’s ability to provide support in the event of a cyber security incident.
Ensure the insurance provider’s process is transparent and easy to understand and that they have proven their ability to process claims quickly and fairly.
Hint: If you want to protect your company against cyber threats by getting cyber insurance nowadays, you’ll need to be prepared – that means preventative measures as well as an emergency contingency plan. ISO 27001 certification will simplify contract negotiations – in some cases, you won’t be able to have them in the first place without it.
5. Identity and access management (IAM)
IAM involves controlling access to systems, applications and data based on a user’s role and privileges. It gives companies a centralised and verifiable overview, making it easier to comply with regulations or industry standards and increase productivity. Users benefit because IAM makes working with systems, applications and data more consistent, secure and user-friendly.
Best practices for implementing IAM
- Risk assessment:
Conduct a risk assessment to identify your systems, applications and data that must be protected. Record the potential risks and prioritise IAM measures.
- Centralised control:
Create a single point of control for managing digital identities and access to systems, applications and data through a centralised IAM system.
- Role-based access:
Implement role-based access control to ensure users only have the access rights they need to perform their tasks.
- Multi-factor authentication:
Increase security by requiring users to provide more than one form of authentication, such as a password and security token.
- Monitoring and audits:
Use monitoring and auditing mechanisms to ensure access to systems, applications and data is properly used. This will make it easier to spot potential security incidents and respond more quickly.
- Creating a policy:
To document your regulated contents and rules, creating a separate IAM policy is advisable. This ensures your specifications are standardised - establishes a binding force vis-à-vis the interested parties.
How DataGuard can help
DataGuard provides a web-based platform and consulting services on information security. Our in-house experts can help you establish and run an ISMS (information security management system) or help you get ISO 27001 certified. Every member of our team of experts has in-depth knowledge and experience with best practices from a multitude of projects and assessments – so you can get the know-how you need.
Our user-friendly Information Security Platform provides you with numerous guidelines and templates for implementing an ISMS. This means you have a valuable foundation to use and adapt to your processes to ensure you comply with information security requirements.
Another useful resource is the DataGuard Academy, a platform-based and efficient way to complete courses in information security training – and familiarise yourself with all related topics during the process.
Businesses need to address the topic of information security as soon as possible so they are protected against attacks. These top priorities give you concrete steps to take care of the most urgent steps.
Need more information about information security? Want advice on setting up an ISMS or training your staff? We’re happy to help! Contact one of our information security experts today.