Over the last 12 months, I have met with more and more companies and learnt many are taking a look at ISO 27001 and PCI accreditations. It is great more people are taking data security seriously. However, during discussions with business leaders and their motivations, I have been dismayed to find many just want the badge yet have little interest in improving systems. Delving a little deeper, I found they liked the idea of better security but felt it was not required for their business, perceiving the probability of a security incident to be negligible. I am glad they are going through the process,. It will force them to improve. Without a solid motivation, they will not get the real benefits, momentum will be lost and ultimately they will see data security as a cost and not an essential to doing business.
It is interesting when asking people about IT security they talk firewalls and penetration tests. Yes, security includes preventing unscrupulous people from hacking your network. It also includes ensuring integrity of your data, protecting from accidental loss or modifications within your network. This means not only including firewalls and perimeter security but look at backup, DR, anti-virus, anti-malware, building security, working practices, documentation and importantly, staff training.
Data security is important as most of today’s businesses are driven by their data. To put this into perspective, according to the Boston Computing Network’s Data Loss Statistics:
“60% of companies who lose their data shut down within 6 months of the disaster”.
Quite a staggering headline number.To not believe and ignore presents a peril to your business. I strongly advise considering the real impact of a disaster and what it is worth before making decisions on your IT security budget and timeline.
Once accepting data security is a necessity, deeply understanding what is important to your business and to your customers and why is fundamental. This allows you to prioritise your response. Every business has budgetary constraints. It is likely you will be asked to justify the expense or disruption of any new security measures. Create a risk register, presenting risks associated with each system in different real-life scenarios such as human error, software failures, fires, internet outages etc. I find the scenario-based approach to be most persuasive as it explains to non-technical board members that it is not just about “hackers”.
To summarise, I am not knocking Sarbanes-Oxley, ISO 27001 or PCI, they are great accreditations and demonstrate your commitment but security should be taken seriously on all levels. This is very daunting starting out. I suggest getting an external company to review your systems and processes to offer expert advice.
If you would like to speak to Fifosys about security or compliance we would love to hear from you.
I’m sure you know yourself. You know your business. Of course you want to protect everything in it,
Technology is evolving quicker than most peoples’ ability to understand it; therefore it is increasi
You should now understand the difference between Privacy, Anonymity and Pseudonymity. which should l
What business owners consider to be valuable assets will vary from one business owner to another bu