Irish Independent Article

Making the move – why Irish businesses are turning to managed information security services in the battle to protect their companies and customers from the upward spiral of security incidents.
Like many things in the world today the arena of information security is becoming more complex on a daily basis.  While it’s natural (and partially true) to think the complexity is being driven by the increasing volume and sophistication of external threats this is really only half the picture.  Any IT executive who is responsible for information security knows only too well that the changing nature of the business environment itself brings to the table a new raft of complexities that impact information security.  From adoption of cloud and managed services to increased compliance obligations your own devices and rapidly evolving malware attacks there is little doubt that information security issues are on the rise
With this comes increasing demands on IT departments to protect their operations in an environment that is in constant flux.
As a result executives are starting to re-evaluate their information security strategies and look for new ways forward. One trend that has emerged is that of “security as a service”.
Pat Larkin and Paul Hogan are co-founders of Ward Solutions, a company that specialises in the area of information security.  Here are some information security trends that they see emerging in the Irish market place.
Information Security Officer (ISOaaS)  as a  Service
Increased information security complexity – internal and external – means an increased need for expertise.  The range of expertise and skills that the information security role requires can no longer exist in any single resource. The question is do you need that expertise on a 24×7 basis?  Answer is, sometimes yes and sometimes no.  In most businesses there are certain times when the company needs at its fingertips access to the best and brightest brains in the area of information security.  This might be when the business is designing, developing and launching a new application or service, reassessing its information security strategy, updating its policy libraries or dealing with an actual information security incident. The need for deep and extensive expertise at intermittent intervals is creating a real demand for “security as a service” type offerings.  For one, security as a service makes better economic sense than hiring an extensive in-house team full time, but more importantly it enables the business to access specialised resources that are at the cutting edge of information security trends and innovations.
“What we see in the market is a real demand from clients who want to be able to tap into a comprehensive range of information security skills when and where they need them. They want to have a trusted partner that they can call upon, one that knows their business and can be part of their team for as long as is required.  This demand has led us to create our Information Security Officer as a service offering for clients. On an ongoing basis we supply clients with access to the best in the business with predictable service levels and costs so as they don’t have to build and maintain full time in-house expertise” explains Pat Larkin
 
Managed Security Service 
From Start to Finish 
There is little doubt about the fact that IT is a critical service provider within most businesses today. There is growing recognition that the field of information security is a very specific part of the overall IT operation, one that is highly important and that requires deep and constantly evolving levels of expertise.
With this recognition comes a realisation that for some organisations where critical information asset are involved the best strategy forward is to outsource the end-to-end information security management of the assets to an expert in the field.
What does this mean?  Put simply it means contracting the ongoing services of an information security expert to manage all aspects of a critical information asset within your business. Someone who can securely build the application, deploy and operate it on an ongoing basis. A partner who is responsible not only for the security of the application but also for the security and integrity of the business logic and process workflows that surround the application – in short the end-to-end secure management of an application or service that is critical to the business in terms of confidentiality of data, integrity of process and availability of service.
“With the growing internal and external complexities around information security fewer and fewer companies are willing to take risks when it comes to critical information assets within their business.  With this comes a realisation that information security is simply not a core competency that they have.   What they want is to partner with someone who is 100% focused on this area so that they can rest assured they have done the utmost to protect their business and their customers” explains Pat.
Selective Services
For some companies the growing trend is to turn towards managed services for certain selected information security services.  Whether the internal driver is compliance or critically important assets the approach remains the same. Rather than bring the skill set in-house, the company chooses to outsource to a managed service provider.
One trend emerging is the outsourcing of log management and security information event management (SIEM) driven off compliance obligations such as PCI.  The sheer volume of work involved in monitoring, reviewing and taking action to address identified anomalies makes handling SIEM internally a nightmare for many IT departments.
“For some businesses certain regulatory requirements not only require a specialist skill set but are also highly  labour intensive and  time consuming,  More and more we see businesses looking externally for managed services to support their regulatory obligations on an ongoing basis.  It makes sense to outsource what is not core to your business” comments Pat Larkin.
Managed information security services is a growing trend in both the local and global markets with more and more businesses turning to third party suppliers to procure specialist services that are simply difficult and costly to build in-house.
Ward Solutions has been in the business of information security for over 15 years. The company has a team of over 60 security professionals working with over 250 clients in Ireland. It is the trusted information security partner for companies such as  CIE, Laya Healthcare, Vodafone, National College of Ireland, Bord Gáis, Fleetmatics and the Department of Jobs, Enterprise and Innovation.
For more information visit www.ward.ie or contact Pat Larkin on (01) 642 0100
 

Making Information Security Pay – Enabling Your Organisation

Making Information Security Pay – Enabling Your Organisation
Over the last few years I have done numerous presentations on the topic of Information Security – both at C level events and more focused information security gatherings. I always start by asking the audience a simple question – which is “Do they view information security as a cost or an “asset” to their business”?
Almost every time the majority seem to classify information security as a necessary “cost” unless the audience is made up of information security professionals or I am briefing executives following the occurrence of a recent information security incident.  In these cases, unsurprisingly the majority of people typically cite information security as an “asset” to their business.
As I perform this less than scientific exercise over the years there are two things that continue to strike me:

1. The consistently held view, even by some professional in the field that information security is all about prevention and insurance.  A necessary cost to try and stop bad things happening.
2. How difficult it is for information security professionals to sell information security to their own management and board despite the well-known risks and potential catastrophes that their business could faces as a result of a compromise.

 
However- things are changing and I do see a gradual but steady increase in the number of people starting to view information security as an asset to their business.  In my opinion this turning tide is directly attributable to two significant factors:
 
Raised Awareness:
First the really obvious reason – raised awareness at every level in the organisation due to the growing number of organisations featured adversely due to some significant customer data breach or service outage.  And it’s impacting us all, as a consumer I have received 4 notifications in the last 18 months from companies holding my or my family’s sensitive data about some significant element of loss or compromise of this information.
The traditional approaches for business case justifications for spend on information security are well documented and established.  They are typically either a compliance based argument- for example:
“ in order to  continue taking on line payments at the volume we are doing  – we must be PCI/DSS compliant and therefore requirement 1 states that we must install and maintain a firewall configuration to protect cardholder data – without this we are not compliant and cannot do business” – QED.
Or, alternatively a Return on Investment (ROI) argument – hopefully with some associated qualitative or quantative risk assessment analysis supporting it – for example
”the typical all in cost of a data breach occurring on personal or financial data is €115 per record – we process or hold 70,000 records, if the risk is that all or even a percentage of these e.g. 20% are disclosed or compromised then the potential cost to the organisation is estimated to be €1.61M – the cost of appropriately securing the Information Systems that hold these records is €30,000 capex and €6,000 opex per annum and this implementation reduces the likelihood of breach to very low probability of less than 5%” – QED..
As you can see by default these types of arguments though perfectly valid – still to some degree reinforce the established perception of information security as necessary insurance or a risk mitigation cost.
Positive Leadership:
The second most significant factor in shifting organisations’ perception of information security as a cost is being driven by the positive leadership of information security managers themselves. Traditionally the information security role by virtue of its inherent risk management responsibility was typically risk averse, sometimes overly policy driven and on occasion perceived within the business as the “department of NO”. Thankfully this is a rapidly changing perception.
The successful Information Security Officers or CISO’s that we work with have figured out that the above arguments are the bread and butter of their day job – keeping the business appropriately safe and secure.  Where they invest their remaining time is in understanding in detail their organisational needs and challenges. They actively engage with the relevant parts of the business to add value above and beyond insurance and prevention.  They look for opportunities for information security to help the business to innovate – to take managed risks, to achieve business goals and contribute to the bottom line.
Practical Examples
Let’s look at some practical examples:
We do a lot of work with Higher Education and Research clients nationally and internationally. The traditional student (customer) processing models have shifted unrecognisably in this sector in the last 10 year from a primarily on campus only, manual, slow, cumbersome, paper and people based education and service delivery model to either a hybrid mix of online/virtual learning plus some on campus education, accreditation and service delivery model.  In this model students can register, pay their fees, select their courses, access academic content, submit assessments and attend virtual lectures.
Key to this transformation is the provision, automation and integration of a heady mix of education information systems and conventional line of business systems such as student registration and administration systems, e-Learning systems, financial systems, HR systems for academic and administrative staff, timetabling systems, examination systems, research management systems and so forth.   A typical education institution has over 300+ applications, 10,000+ students, 1500+ staff, 4000+ joiners and leavers per annum and turning over €100M+ a year.  Providing seamless, secure access to services to students and staff from anywhere in the world whilst protecting personal data, financial integrity, examination and accreditation integrity, intellectual property protection, service availability and so forth is no mean achievement.
From an information security innovation perspective CISO’s in Higher Education institutions are truly enabling partners in this transformation by utilising information security management technology solutions such as:
Identity and Access Management Solutions:
To automate really complex, time sensitive provisioning and de-provisioning of the large volumes of joiners, leavers and the comprehensive change management processes that all of the user in these institutes typically go through.  Enabling this transformation in a heavily automated, mobile and highly dynamic environment – with positive or improved end user experiences – whilst removing a lot of previously expensive labour intensive manual, slow, error prone processes with poor user experiences.
Secure Mobile and Remote Access to Services:
Enabling students, staff and researchers to gain appropriate access to services, content and data of widely varying sensitivity ranging from staff or student personal or financial data to high value research intellectual property, to accreditation and examination data and services in a seamless user experience on campus, at collaborating campuses, industry or 3^rd parties literally anywhere in the world. Again CISO were instrumental in proposing governance, data handling and classification policies and frameworks to these institutions allowing them to determine who should have access to what data and services and from where. They were also instrumental in proposing secure extranet and intranet technologies, secure wired and wireless solutions, graduated and adaptive authentication, federation and authorisation models and technologies to help enable and control this secure access.
Secure Payment Services:
A lot of money changes hands as part of the education experience. Traditionally at registration students lined up with cheques, cash or credit cards to pay for their annual or term fees. They paid for on campus services such as printing and photocopying facilities as well as food and beverage services with cash. Aside from being a poor user experience from a user’s perspective this also placed a lot of money handing costs and risks to the institution. Once again CISO’s were instrumental in developing and implementing secure “cashless” payment systems for everything from online payments for college fees to pre-paid accounts and tokens for printing and catering services on the institution – solving both the user and the institutions problems.
Indeed so much innovation was required in Higher Education and Research early on to deliver on the business model transformation required that a number of key security technologies were effectively pioneered, developed or piloted in this sector.
The Institutions that were first or most successful in this transformation required the positive and constructive collaboration and innovation of their internal and external IT providers and information security resources.
Success criteria included:

• Increase in students attending the institution not just because of academic or research excellence but also because of the new reach of the institution to a potentially global market, the range of services offered, the service delivery models, the improved user experience and the perception of innovation.
• Reduction in administrative cost through secure automation and integration.
• Improved compliance and risk management through improvements in identity quality, elimination of manual, error prone, non-systemic process

 
Conclusion 
Appropriately protecting your organisations from information security risk is now the minimum requirement of the information security role. To add real business value CISO’s need to become partners in business innovation, constructively helping their organisation to achieve its goals by providing and suggesting solutions and model for the business to identify, manage and control the risks that the organisation needs or want to take. CISOs need to be able to actively contribute to either the top or bottom line. When they do this then then they will have no issues getting C Level airtime.

The view from inside

There is no doubt about it, the most common information security incidents we are asked to deal with are ones that have arisen from inside the organisation – and to be honest, internal threats are often more difficult for businesses to come to grips with.  There is an unintentional sentiment, especially with management not on front line of managing risk, that if the breach occurs internally it won’t be as damaging to businesses as an external attack.
Unfortunately this is not the case – the extent of the hype, headlines and customer backlash knows no such boundaries and does not noticeably distinguish between the nature of an incident – a breach is a breach.
From our work there are three common internal information security incidents:

1. Unapproved content – a frequent but less discussed incident type we encounter is one where  staff are accessing content and information at work  that is simply off-policy and inappropriate.  On the surface what can appear to be a  misdemeanour can have ricochet effects across the organisation and needs to be handled carefully.
2. Accidental error – whether it’s caused by people, process or technology slip ups accidental error is when critical information ends up in the wrong place or with the wrong people causing a breach to the business’s information security.  Simple mistakes that unfortunately can have serious consequences
3. Intentional internal fraud – simple and straight-forward, the planned action of accessing and taking critical information from the business for malicious use.

Three very different situations: each of which is reasonably common in our experience.
What’s important is what can you do about it?   Here are sensible, pragmatic steps that we recommended you consider to help reduce the risk of these types of incidents happening to your business.
Accessed denied – many channels make it hard work!
The lines between work and home have blurred considerably over the last decade and today we  are used to having the flexibility of ducking in and out of work mode to quickly surf the net, have a chat or catch up with a friend – they call it “me entitlement” time!
All in all, it’s not a new phenomenon but from an information security perspective the multi-device, mobile, internet  and social networking era presents a new set of challenges.  The fact is that many cases we are called in to look into often involve employees accessing unauthorised content or information when at work.
Most companies today are savvy and responsible enough to have policies, procedures and filtering systems in place to help avoid such a situation arising. Commendable as it is, it simply is not enough.  Companies under estimate the full ramifications of the discovery of an unauthorised access situation and in most cases are simply not equipped to deal with this when it occurs.  Depending on the type of incident the, ramifications can range from a HR disciplinary action to a potential court case and legal proceedings.
However our intent is not to scaremonger – it is to realistically help companies be prepared.  Here are four steps what we recommend businesses follow:-

• Educate –at the bare minimum make sure you have a thorough acceptable use policy (AUP) in place relevant to your business and that every employee is well aware of what it is and what it contains.
• Prevent – put teeth into the policy by putting in place a good content filtering solution that will police your policies around the clock.  Remember that in today’s world you need to cover the myriad of channels that are open to people – from email and chat rooms to file sharing and the hidden web.
• Police – review regularly what people are accessing to ensure your policy continues to be relevant and your prevention is effective.
• Prepare – probably the most important but frequently overlooked step is to have a formal pragmatic incident response approach in place.  If a situation occurs it may quickly become more than an internal HR issue and companies that can clearly show they engaged robustly by reporting, investigating and protecting assets uncovered for further investigation can positively  influence how their own liability is viewed.

In truth unauthorised content access is unfortunately quite common in organisations today. It’s hard to discuss and difficult to deal with, but the consequences can be far-reaching so it must be proactively addressed.
Accidental error – can you eradicate mistakes?
In our view accidental error is probably the hardest information security threat for businesses to come to terms with.  The fact is that even if nobody means harm, harm still gets done and customers are no more forgiving just because the mistake was internal.
To look at it simply accidental error falls into two main categories and here’s how we recommend you approach risk management for each:

1. System, process and technology slip-ups

It’s a common scenario  – the business is rolling out a new system or process or making changes and upgrades to what’s already in place.  The development work is done, user testing is complete and everyone is trained up.  Go-live is in two days and someone thinks about security (or not in some cases!).  There simply isn’t enough time to properly assess the risk or run a security test on the new systems or altered processes – so by default the business is left un-intentionally exposed.

It’s a frequent occurrence and one that can easily be remedied.

Our advice – based on hard earned experience –  is that when it comes to any process or system change that touches the critical information assets of the company, security must be first and foremost on the agenda at every step of the way.

Coming to the party late leaves the business compromised – but forewarned is forearmed and in many cases embedding security assessments along the way alleviates risk, ultimately saving time, money and reputation.

What’s needed is a simple change to how businesses run projects – big or small – moving information security from being a last minute consideration to becoming a systemic part of project management.  A simple step that will shift the dial on a company’s exposure to accidental risk.

Forewarned is forearmed so be forward thinking!

2. People and plain ordinary mistakes

Most of the time when we are called in to deal with an internal security incident that has been caused by human error, the bottom line is that the people involved simply did not know the importance of the information they were dealing with.  Across the world this seems to be a common phenomenon with only 42% of staff saying they have received training in how to be secure at work.

The fact is, people don’t know what they don’t know and as a business it’s your responsibility to educate, guide and give them guard rails to work with.

It all boils down to awareness and ongoing education – if people are dealing with sensitive data, they need to know the potential consequences of simple errors.

And, in our experience it’s not just about annual training courses (but they do help!) its more about making security a day-to-day conscious feature in the work practices of those involved with sensitive data.  It must live and breathe in everything that gets done and become an ethos, culture and behavioural set achieved as much by education and change management as by technology.

Getting the frontline right is fundamental.

Pre-planned and pre-mediated – sometimes it is the bad guy’s fault!
Make no bones about it – sometimes we are called upon to help deal with a straight-forward incident of someone in the business deliberately taking information that they simply are not allowed.
It happens often and it happens for many reasons.  Sometimes they simply want to bring the information with them when moving company or job and other times it’s a bit more serious and the intent is to sell the information for fraudulent activities.
Regardless of the why, let’s focus on the what to do about it.   In our view there are two things that are key:-

1. Do not enter – Often people steal information because they think they won’t get caught.  They think they won’t get caught because they connect information security practices with something the business focuses on for compliance and audit reasons.  Taking information security out of the wood work and making it a living, breathing entity in the business is like putting up warning sign for all to see.  It won’t prevent every incident but it will prevent some.

2. Match make – this is one area that technology can be your friend.  People have fairly clearly defined roles and responsibilities – with these comes an understanding of the systems they need, the information they use, the frequency they use it and what they do with it.  What you need to do is match the person with a profile and use technology to monitor for suspicious activity such as lengthy accesses to critical data files, out-of- hours extended usage, large extracts of sensitive data – things that are slightly out of kilter with normal behaviour.  Insights that will alert you to take action in time to prevent an incident occurring. Solutions that customers typically use to help achieve this include Data Loss Prevention and Security Incident and Event Management (SIEM) solutions.

So in short, based on our experience and feedback from others who research the area, internal incidents are the biggest threat to information security locally and globally.
While each type of incident requires specific actions, there is one over-arching piece of advice that will make a difference to all types of incidents.  To those of you who read our insights frequently you will know it a common mantra – get the subject of information security out of the annual audit and compliance agenda and on to the daily business agenda.  Making security systemic in the business will go a long way to keeping the business secure.
For more information on insider threat or any information security issue call us on (01) 642 0100
This document is for general guidance only and should not be regarded as a substitute for professional advice.
 

Data protection strategy key, says Wards Solutions CEO

 
Pat Larkin, CEO of Ward Technology talks to the Irish Independent about how Irish companies can ready themselves for incidents around data loss – whether accidental or malicious, internal or external – and how to limit the damage they cause.  Ward has many years of experience working with clients to devise effective data protection strategies to keep businesses’ critical information assets safe and compliant with best practice and legislative requirements.
View PDF >

IT security ‘minefield’ can be managed

Both locally and globally information security breaches took centre stage in 2013 and the trend seems set to continue based on what we have already seen happen in the early days of 2014. The statistics, the incidents and the attacks are all there to remind us that security breaches are a very real problem from which no-one – from multinationals and government agencies to small companies serving local communities – seems to be immune.
Wards Solutions has been quietly specialising in this area for many years. With a long history of being the trusted information security partner for some of Ireland’s leading companies the team at Ward has built up an impressive degree of expertise and insight into the minefield of information security.
Pat Larkin and Paul Hogan are the founders of Ward Solutions – it’s their pragmatic, systematic and human attitude to information security that makes Ward stand out from the crowd. There are three underlying principles that govern the company’s approach to helping their clients devise and implement practical strategies to protect their organisations and customers.
 
1. It’s not a flash in the pan 
Annual audits, actual incidents or compliance reviews are often factors that bring information security onto the agenda of the executive team and understandably so. But it is this ad-hoc or annual approach that often leaves companies most vulnerable and open to potential incidents. In today’s business world information security needs to be at the forefront of every executive’s mind and systematic in everything that gets done – whether it’s marketing, running a promotion, your finance team altering billing processes or the IT department rolling out mobile devices to their sales force or executive teams.
“What we find in most businesses we work with is that security comes on to their agenda once or twice a year – yet changes to their processes, applications and systems happen on an ongoing basis and new threats arise daily leaving them unintentionally exposed,” according to Larkin.  “Every time a company makes a change to a process or application they need to factor into the equation the question of security. Even in a static environment they need to constantly reassess the external risks they face, the vulnerabilities they have and the impact of those risks occurring in their business.”
 
2. It’s inside and out 
Most of the news stories we hear about relate to security incidents that are a result of organised malicious attacks from external sources. The possibility of an external security breach, within any business today, is very real and as a result many companies are actively starting to raise the bar on their information security strategies. While this is commendable, it is equally as important that organisations strike a balance between protecting against malicious threats and the un-intentional internal security breaches. Often companies emphasise their focus on outsiders getting in and forget to look internally at weaknesses in their processes, procedures and systems that also make them vulnerable.
“Hackers, cybercrime and malware are huge threats today and we must do all we can to protect ourselves and our customers if an incident occurs – this is fundamental,” said Ward co-founder, Larkin. “However, equally as important is turning an eye inwards and looking at where the business is exposed to risk through poor practices and processes or through the actions of a rogue insider. The internal loss of a customer database business due to system or information security failure may not always hit the headlines but remains a very serious and damaging security information incident for any organisation.”
 
3. People plan attacks 
Much of today’s externally driven security attacks are executed by highly sophisticated and intelligent technologies. However, it pays to remember that behind the technology there are always people or teams of people totally focused on trying to find weak spots through which to penetrate, normally for very damaging purposes. At Ward, the risk assessments and security testing we carry out combines brains and technology.
We use the industries very best information security solutions in combination with a team of highly-skilled security consultants. Our consultants approach each project from the viewpoint of a professional criminal, internal or external hacker or inadvertent staff member, bringing a degree of rigour and a 360-degree view to the assessment process that only comes with experience, expertise and the human touch.
“Over the years we have built up a team of really smart, savvy and technically astute security consultants. The combination of great talent and technology is without doubt our secret sauce” commented Larkin.
Ward Solutions have been in the business of information security for over 15 years. The company has a team of over 60 security professionals working with over 250 clients in Ireland.
For more information contact Pat Larkin on (01) 642 0100

Pragmatic Steps to Protect your Business

Sometimes bad things happen to good people and the same is true in business.  Information security incidents happen and while there is no silver bullet that will provide complete protection in any company there are steps that can be taken to improve the odds and limit the risk.
Take the two very different types of information security incidents:-

• An internal breach caused by human error and system hiccup
• An external incident caused by malicious attack on an outsourced provider

Based on our experience here are sensible, pragmatic steps that will reduce the risk of these types of incidents happening to your business.

Gone but not forgotten – Sensible security steps when outsourcing

Outsourcing is a reality of modern business.  Many companies today focus on their core operations and outsource ancillary functions.  If your business outsources to contract service providers, here’s what we recommend you do to help manage your information security risk:-

1. Don’t work on assumptions
   Just because they are certified doesn’t mean you’re safe.  Like most things in life, not all security certifications or standards are equal – they all have different degrees of rigor – some are less reliable than others, some can be confined to particular aspects of the business and some can be fast-track accreditations.  Even well-known security standards, such as ISO 27001, while a good indicator that an outsourcing supplier takes security seriously, are no fool proof guarantee.   So don’t work on the assumption that just because your outsource partner has a security certification that all is well.  Take the time and make the investment to dig a little deeper – spend the time upfront to understand how the supplier works, how they approach security and look for evidence of the implementation of security policies in their everyday work practices.
   
   
2. Conduct an independent risk assessment
   In our view, an outsourcing supplier should be viewed from an information security perspective as part of your wider organization – while you might be outsourcing a process or service you are not outsourcing the ownership of the risk.  So from the outset it’s important to get an independent view of the potential business impact and probability of something going wrong.  When assessing information security risk it’s important to take a 360 degree view and consider external and internal threats as well as the likelihood of accidental incidents due to people, process or system failure that could expose your company to risk.   As they say, forewarned is forearmed and a comprehensive risk assessment upfront is a smart step in mitigating the security risks of outsourcing.
   
   
3. Make sure they practice what they preach
   What people say and what people do can often unintentionally be two very different things.  So we strongly recommend that if the outsourcer has access to sensitive data or significant company assets then on-site due diligence and verification should be carried out.  Walking in the shoes of your outsourcer and its staff will give your business a much deeper insight into what actually goes on at the coalface, gain an understanding of the processes in place and check that the company’s security controls are embedded and proactively adhered to.
   
   
4. Undertake penetration testing
   Limit your risk by vetting your outsourcer in the same way you would vet your own company and that should include penetration testing.   Don’t rely purely on technology for testing, behind an attack or an incident there is usually an element of human involvement.  Take the time and make the investment to approach penetration testing wearing a number of different hats from the professional criminal to the inadvertent staff member.  This way you will bring a degree of rigor to the process that technology alone simply can’t deliver.
   
   
5. Get it in writing
   They say good fences make good neighbors –well good contracts make good partnerships.  Be clear from the start what your company’s expectations are in regards to the ongoing information security controls, and provisions dealing with data protection.  Get suppliers to sign up to guarantees regarding the security standards they will follow.  Build into the contract proof points and verification criteria to demonstrate on a regular basis that what’s been agreed is being adhered to.
   
   
6. Keep it alive
   Audits and contract renewals have a natural tendency to occur annually – the risk of a security information incident has no time bounds.  Make sure you agree with your outsourcer the frequency with which they will undertake to reassesses their external and internal risks and vulnerabilities.  Don’t leave it to chance.But is it worth the hassle?  We think so – for many businesses outsourcing is a sensible strategy that will bring benefits – the trick to mitigating its potential risks is to ensure information security is front and centre of any outsourcing negotiations.

Unintended internal error – Straightforward security steps to help prevent mistakes

Last year around 70 per cent of the security incidents we were called in to help with were internal in origin. No external attack, no sophisticated cybercrime or organised assault but still the innocence of cause did not lessen the potential seriousness of the incident on the business.

But what can companies do to safe guard against accidental internal risk – is this just not a matter of the luck of the draw? In our experience there are three key things that can help limit your risk:-

1. Educate your people
   Mistakes happen, but mistakes happen more often when people are not aware of the significance or business impact of something going wrong.  All too often we see companies focusing on malicious information security risks and paying little attention to the un-intentional internal security risks.Educating your people on the critical importance to the business of the security of sensitive data is a key starting point.  Helping them understand how simple errors can lead to serious consequences for the business starts to create a consciousness around information security that may inadvertently be lacking.Information security training is imperative to help bring the issues and risks to the forefront of your employees’ minds and to help them assess their actions, review processes and consider safety checks in a totally different light.  Most companies forget about the impact that the people at the front-line can inadvertently have on information security risk and fail to sufficiently bring them into the loop.
   
   
2. Leave nothing to chance
   Things change and in today’s business world systems, processes and procedures change frequently and fast. With every change comes the chance of a security risk -yet all too often security input or testing is left off the agenda when it comes to implementing a change to a system or process.  This leaves the business un-intentionally exposed.  The answer is to leave nothing to chance – information security needs to be systematic within the organisation.  No change – big or small – should go under the radar and the question of information security should be factored into the equation every time.
   
   
3. External random checking
   Sometimes it’s hard to see the obvious.  When you’re immersed in a business or process it can be hard to look at it with a cold eye and see where it’s weak, where it’s strong and where the risks lie.  That’s why it is always smart to get a new set of eyes to look at what’s going on. Where sensitive information or significant company assets are involved independent random spot checks on the systems and processes in place often uncover obvious but unobserved vulnerabilities.There is nothing like a new set of eyes to show things in a different light.

Let’s be honest, it’s impossible to fully eliminate the risk of human error or system failure but it is possible to decrease the chances of it happening.  Time and again we see the positive impact of simple steps, such as those above, that when taken consistently embed information security into the hearts and minds of people and organisations.
So what to do?  While there is no one-size-fits all approach to managing information security risk there is a one-size-fits all piece of advice – get the question of information security out of the annual audit and compliance agenda and on to the daily business agenda.
For more information call us on (01) 642 0100
This document is for general guidance only and should not be regarded as a substitute for professional advice.