Information security has been a topic of great concern for business’s for decades but has grown significantly more pronounced over the last few years and especially the last month. Legislative requirements enacted under the Dodd-Frank legislation have empowered the Consumer Financial Protection Bureau with jurisdictional regulatory power and the authority for enforcement. In addition to the legislation, there has been a series of attacks against American business’s costing billions in lost revenue. Business’s must take security threats seriously and take every step to protect themselves.
There are a number of ways a business can be attacked in the digital age, and one of the most obvious is a direct frontal assault. Employees pose the single greatest threat to an organization as they have the greatest unfettered access. The first step to protecting information is making it impossible for any one employee or group of employees to have unrestricted access to any information, but especially research and development or proprietary protections. Organizations must compartmentalize access with barriers to access that cannot be overcome without approval of management teams. One person should never have the ability to authorize access because one person can be compromised.
Compartmentalization is not enough, especially if there are nefarious actors at work. The number of locations that store and process critical data must be limited, and personnel employed with the sole purpose of providing physical access restriction services. There must be tiered and layered access to physical protection preventing security personnel from being compromised and allowing access. Organizations must provide policies to avoid unauthorized storage of information on devices like flash drives, external hard drives, laptops, phones, tablets, and internal company machines. Employees can fax or email any information they want which can be devastating to company objectives.
There is a significant difference in intranet and internet access. A stand-alone building that has its own internal computer services and does not access the World Wide Web is operating in an intranet environment. If that building is physically linking with cable or its wireless satellite-based service, it is still an intranet environment so long as it never enters the worldwide web. Once a computer system accesses the public network that the rest of the world is on it is accessible to internet hackers. While it is impossible to truly protect yourself from a hacker on the web and nearly impossible to operate a business without internet access, it is possible to isolate systems. Keeping Non-Public Personal Information (NPI) or any vital information needing to be protected stored in intranet systems not physically connected to the internet is about the only way to guarantee true security.
Businesses must prioritize their concerns and determine the best ways to protect their information. Email will always pose a risk to employers, and there should be strict diligence applied through policy to limit email access and reduce the potential threats. There is no statement that can be made by anyone alive that cannot be twisted to mean something different than what was intended. Hacking email is always going to produce poor results and is unavoidable if an organization must have email as a part of their services. Using an intranet alone is not feasible for worldwide or even nationwide businesses.
There are ways to protect your organization from exposure while using the internet, even if it is impossible to keep it completely safe from an entity with the resources like North Korea or China. China has been engaged in industrial espionage for decades and achieved unparalleled success on this front against any business that takes their interest. After you have put controls in place within your organization and established an effective intranet program, you will have to secure internet usage. There are two significant ways this can be done with communications security (ComSec).
There are devices that physically scramble signals making them virtually impossible to decode without the physical components that decode them. Of course, even the best encryption keys can be cracked with the right applications of time and ingenuity. The Dodd-Frank legislation has required financial institutions and other industries to have communications security devices to protect NPI. The CFPB has the enforcement authority to conduct audits, fine violations, and shut businesses down that fall under the CFPB jurisdiction.
Policies must specifically spell out the techniques that will be used for information security of all kinds, not just digital. There must be safeguards in place to prevent loss of information and the penalties are stiff for deficient policies and policies that are not enforced. The losses have been significant, and the competition on a global scale is not respective of individual rights and liberties. Success has become the measure that drives hackers. Penetrating the impenetrable is a badge of honor. The times have changed, and the international laws have not evolved to the point that there are any real protections for anyone anywhere.
The bad actors are everywhere and there are individuals and groups that have no other purpose in life other than to find ways into systems they do not have legitimate rights to. The value of information in today’s age has made it worth stealing. Thirty years ago knowing someone’s birthday would not have the same value as it does today. It is a good idea to hire a professional consultant with experience in information security to identify the potential weaknesses in your company and help you avoid interruption. Security deals with threats and how to handle them. Sadly, the potential risks in today’s world make it difficult to know what is threatening you. Do you know what your threats are?