Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    Pragmatic Steps to Protect your Business

    Sometimes bad things happen to good people and the same is true in business.  Information security incidents happen and while there is no silver bullet that will provide complete protection in any company there are steps that can be taken to improve the odds and limit the risk.
    Take the two very different types of information security incidents:-

    • An internal breach caused by human error and system hiccup
    • An external incident caused by malicious attack on an outsourced provider

    Based on our experience here are sensible, pragmatic steps that will reduce the risk of these types of incidents happening to your business.


    Gone but not forgotten – Sensible security steps when outsourcing

    Outsourcing is a reality of modern business.  Many companies today focus on their core operations and outsource ancillary functions.  If your business outsources to contract service providers, here’s what we recommend you do to help manage your information security risk:-

      1. Don’t work on assumptions
        Just because they are certified doesn’t mean you’re safe.  Like most things in life, not all security certifications or standards are equal – they all have different degrees of rigor – some are less reliable than others, some can be confined to particular aspects of the business and some can be fast-track accreditations.  Even well-known security standards, such as ISO 27001, while a good indicator that an outsourcing supplier takes security seriously, are no fool proof guarantee.   So don’t work on the assumption that just because your outsource partner has a security certification that all is well.  Take the time and make the investment to dig a little deeper – spend the time upfront to understand how the supplier works, how they approach security and look for evidence of the implementation of security policies in their everyday work practices.

      2. Conduct an independent risk assessment
        In our view, an outsourcing supplier should be viewed from an information security perspective as part of your wider organization – while you might be outsourcing a process or service you are not outsourcing the ownership of the risk.  So from the outset it’s important to get an independent view of the potential business impact and probability of something going wrong.  When assessing information security risk it’s important to take a 360 degree view and consider external and internal threats as well as the likelihood of accidental incidents due to people, process or system failure that could expose your company to risk.   As they say, forewarned is forearmed and a comprehensive risk assessment upfront is a smart step in mitigating the security risks of outsourcing.

      3. Make sure they practice what they preach
        What people say and what people do can often unintentionally be two very different things.  So we strongly recommend that if the outsourcer has access to sensitive data or significant company assets then on-site due diligence and verification should be carried out.  Walking in the shoes of your outsourcer and its staff will give your business a much deeper insight into what actually goes on at the coalface, gain an understanding of the processes in place and check that the company’s security controls are embedded and proactively adhered to.

      4. Undertake penetration testing
        Limit your risk by vetting your outsourcer in the same way you would vet your own company and that should include penetration testing.   Don’t rely purely on technology for testing, behind an attack or an incident there is usually an element of human involvement.  Take the time and make the investment to approach penetration testing wearing a number of different hats from the professional criminal to the inadvertent staff member.  This way you will bring a degree of rigor to the process that technology alone simply can’t deliver.

      5. Get it in writing
        They say good fences make good neighbors –well good contracts make good partnerships.  Be clear from the start what your company’s expectations are in regards to the ongoing information security controls, and provisions dealing with data protection.  Get suppliers to sign up to guarantees regarding the security standards they will follow.  Build into the contract proof points and verification criteria to demonstrate on a regular basis that what’s been agreed is being adhered to.

      6. Keep it alive
        Audits and contract renewals have a natural tendency to occur annually – the risk of a security information incident has no time bounds.  Make sure you agree with your outsourcer the frequency with which they will undertake to reassesses their external and internal risks and vulnerabilities.  Don’t leave it to chance.But is it worth the hassle?  We think so – for many businesses outsourcing is a sensible strategy that will bring benefits – the trick to mitigating its potential risks is to ensure information security is front and centre of any outsourcing negotiations.

    Unintended internal error – Straightforward security steps to help prevent mistakes

    Last year around 70 per cent of the security incidents we were called in to help with were internal in origin. No external attack, no sophisticated cybercrime or organised assault but still the innocence of cause did not lessen the potential seriousness of the incident on the business.

    But what can companies do to safe guard against accidental internal risk – is this just not a matter of the luck of the draw? In our experience there are three key things that can help limit your risk:-

      1. Educate your people
        Mistakes happen, but mistakes happen more often when people are not aware of the significance or business impact of something going wrong.  All too often we see companies focusing on malicious information security risks and paying little attention to the un-intentional internal security risks.Educating your people on the critical importance to the business of the security of sensitive data is a key starting point.  Helping them understand how simple errors can lead to serious consequences for the business starts to create a consciousness around information security that may inadvertently be lacking.Information security training is imperative to help bring the issues and risks to the forefront of your employees’ minds and to help them assess their actions, review processes and consider safety checks in a totally different light.  Most companies forget about the impact that the people at the front-line can inadvertently have on information security risk and fail to sufficiently bring them into the loop.

      2. Leave nothing to chance
        Things change and in today’s business world systems, processes and procedures change frequently and fast. With every change comes the chance of a security risk -yet all too often security input or testing is left off the agenda when it comes to implementing a change to a system or process.  This leaves the business un-intentionally exposed.  The answer is to leave nothing to chance – information security needs to be systematic within the organisation.  No change – big or small – should go under the radar and the question of information security should be factored into the equation every time.

      3. External random checking
        Sometimes it’s hard to see the obvious.  When you’re immersed in a business or process it can be hard to look at it with a cold eye and see where it’s weak, where it’s strong and where the risks lie.  That’s why it is always smart to get a new set of eyes to look at what’s going on. Where sensitive information or significant company assets are involved independent random spot checks on the systems and processes in place often uncover obvious but unobserved vulnerabilities.There is nothing like a new set of eyes to show things in a different light.

    Let’s be honest, it’s impossible to fully eliminate the risk of human error or system failure but it is possible to decrease the chances of it happening.  Time and again we see the positive impact of simple steps, such as those above, that when taken consistently embed information security into the hearts and minds of people and organisations.
    So what to do?  While there is no one-size-fits all approach to managing information security risk there is a one-size-fits all piece of advice – get the question of information security out of the annual audit and compliance agenda and on to the daily business agenda.
    For more information call us on (01) 642 0100
    This document is for general guidance only and should not be regarded as a substitute for professional advice.