The Importance of Information Security Policy in The Prevention and Mitigation of Cyber Attacks.

📖

Most modern businesses rely on digital services and information to operate on a day-to-day basis. If these services and resources become compromised the consequences can be severe both financially and legally, often resulting in considerable damage to a business’s reputation. In 2022, in their annual Cost of a Data Breach Report, IBM highlighted that 83% of organisations experienced more than one data breach. (IBM, 2022). Therefore, the prevention and mitigation of this damage ought to be high on the priority list of any executive. There are many threat actors who wish to gain unauthorised access to a business’s network. These can include “script kiddies,” a person using existing tools and technologies with limited knowledge, “Black Hats,” experienced hackers using their expertise for financial gain or even state sponsored attackers, using the funding and support of governments to perform malicious activities for geopolitical reasons. (Ben Gorman, 2023).

What do you mean by Information Security Policy?

Information Security Policy refers to policies, standards and guidelines envisioned and executed by a business to protect and ensure sensitive information and data from unauthorised access. (ISMS, no date). These procedures are regarded as integral steps in defense and should be understood and acted on by all employees. Fundamentally, an Information Security Policy should help to guide businesses in the introduction of technologies and situations. This can be done by assessing these using the Confidentiality, Integrity, and Availability (CIA) Triad.

The CIA Triad

The CIA Triad is a core concept in information security. It is a model that is used to help understand how to protect a business’s valuable digital assets. The three components of the triad are Confidentiality, which pertains to the secrecy of information and making it only accessible to authorized entities. (Death, 2023). Integrity, which involves maintaining the accuracy and consistency of information. (Death, 2023). And Availability, which means systems and data are functional and accessible. Understanding this model will improve the security of any business or project. It is important to think about this model when introducing any new system or technology into the business. It is also important when recapping security protocols to reassess existing technologies within the business and judge them based off the CIA triad. Not only does the triad form the foundation of cyber security systems, but it also helps businesses comply with data privacy legislation and reduce damage in the inevitability of an attack. (RiskXChange, no date). This helps us with the next step, risk management.

Risk Management

When running any digital service there will always be risks associated with it. Being able to understand that unfortunate things will happen at some point, and you cannot protect against every avenue of attack, is the strongest position to be in. Attack vectors that profit off so called Zero Day vulnerabilities are impossible to protect against, as the software or hardware manufacturers themselves are unaware of their existence. Other known vulnerabilities can be prevented however, as the ability to patch or modify system configurations to account for these is possible and can be included as reviewing in part of a well maintained Information Security Policy. It is integral to understand that a strong well thought out and executed risk management plan can limit and, in some cases, prevent damage from occurring. Risk management is defined differently by different organisations and standards.

Which standards are used?

One of the most well-known and used sets of standards is ISO/IEC 27005, which shows how to conduct an information security risk assessment in accordance with the requirements of ISO 27001. (ITGovernance, 2023). This standard is relevant to any organisation, no matter the size or industry it operates in.

The ISO 27005 risk management approach can be classified into 6 key components.

Why should my company use this standard?

This standard has been adopted by many companies and is also used by government and non-profit organisations. It is designed to be flexible to adapt to any size of business. This is important as many executives of smaller or lesser organisations consider security to be an optional extra. This is a fallacy. To consider the security of an organisations digital assets as extra would be both reckless and dangerous. Not only to the business and its reputation but it could result in damage to the very customers they rely on or in the worst case, legal action.

There have been several cases where organisations with a poor understanding or commitment to security have ended up facing legal action. This is because they are responsible for the digital assets they collect and store. This is known as compliance. Data being sent, used, or stored must be protected in diverse ways. There are three states that data can be in, these are known as Data at rest, data in transit and data in use. (Marko Dinic, 2022). A failure to protect data in its three states will result in non-compliance. Depending on the severity and situation, the organisation may be in breach of a number of security laws or regulations.

What legislation is there regarding security in the UK?

Data Protection Act & UK-General Data Protection.

There are several laws and regulations that have been designed to protect sensitive data. And there have been instances where major corporations have failed to meet the requirements of these laws and regulations, such as British Airways, who faced a £183m fine following a data breach in 2018. (BBC, 2019). These laws are integral in the creation and maintenance of any Information Security Policy. The first of these laws is called the Data Protection Act (2018). The DPA works in conjunction with the UK-GDPR (General Data Protection Act) to implement strong security measures to safeguard personal data organisations collect and process and also reduce security breaches. (Kyle Chin, 2023). A failure to comply with this law can produce fines of up to £17.5 million pounds or 4% of annual global turnover. UK-GDPR offers similar punishment for organisations failing to meet its standards, one of which includes having a security policy that meets the GDPR’s requirements.

Network and Information Systems (NIS) Regulations

The NIS Regulations’ primary function is to “detect and manage the threats to the security of network and information systems in an acceptable and proportional manner” (UK Government, 2023). These regulations are focused more on organisations that are considered to be digital service providers such as search engines or marketplaces and operators of essential services, this means healthcare, energy, transport and other public services. (Kyle Chin, 2023). This may not apply to all businesses, but it is important to be aware of the legislation that is in effect in the UK. Following in the footsteps of the largest organisations in security policy is an effective way to stay up to date and aware of the changing landscape of security threats.

What are some things I can do to increase security straight away?

Physical Security

Introducing new security measures into the office is the best way to start the prevention of cyber-attacks. Physical access to sensitive systems is one of the main causes for disruption. Creating policies around the office environment and providing cybersecurity training to all personnel is necessary. Some examples of new policies could include; mandatory training for staff, a clean desk policy, ID verification on building entry, surveillance systems, visitor tracking systems etc. All these policies should be checked and tested on a regular basis to ensure all employees understand and know the risks.

Cybersecurity

The best way to start implementing the ideas shown in this document is to hire a security consultant to setup your organisations security policy using one of the frameworks mentioned above. This will provide a solid foundation for future implementation and review. Some ideas that can be considered are; MFA (Multi Factor Authentication) for access to systems, hierarchical user management system with dedicated groups of users to limit access and control to employees, this will prevent unauthorised usage of tools and storage by rogue or uneducated employees.

Conclusion

To conclude, having a bulletproof Information Security Policy that is based on a well-known and respected framework, such as ISO/IEC 27005, allows your organisation to progress with its digital business. Seeing the common pitfalls of other companies and the damage it does to a business is a keen motivator to get in control of your digital assets. If the only takeaway you make from this blog is introducing a new in-house policy for security, then that is a success. All these things take time and resources to implement, but it is a necessary aspect of managing your information system.

References

IBM. (December 2022), Cost of a Data Breach Report 2023. IBM [Accessed on 24th November 2023]

Gorman, Ben. (July 14, 2023), Different Types of Hackers: White Hat, Black Hat, Gray Hat, and More. AVG [Online] [Accessed on 25th November 2023] https://www.avg.com/en/signal/types-of-hackers

ISMS. (no date), Information Security Policy [Online] [Accessed on 25th November 2023] https://www.isms.online/information-security/policy/

Death, Darren (October 2023), Information Security Handbook. Second Edition, Packt Publishing.

RiskXChange. (no date), What Is the CIA Triad Security Model? RiskXChange [Accessed on 25th November] https://riskxchange.co/1006933/what-is-the-cia-triad/

ITGovernance. (2023), ISO 27005. [Online] [Accessed on 29th November] https://www.itgovernance.co.uk/iso27005

BBC. (July 8, 2019), British Airways faces record £183m fine for data breach [Accessed on 29th November] https://www.bbc.co.uk/news/business-48905907

Marko Dinic. (May 02, 2022), A Complete Guide to Encryption — Data at Rest, Data in Motion and Data in Use. [Accessed on 1st December] https://jatheon.com/blog/data-at-rest-data-in-motion-data-in-use/

Kyle Chin. (Aug 11, 2023), List of Cybersecurity Laws and Regulations in the UK. [Accessed on 1st December] https://www.upguard.com/blog/cybersecurity-laws-regulations-uk

UK Government (May 03, 2023), *The Network and Information Systems Regulations 2018. *[Accessed on 2nd December] https://www.legislation.gov.uk/uksi/2018/506