Information security deals with the protection of information in all its forms and throughout entire information life cycle.
In all forms means they can be
- digital (stored in an information system, software) or
- printed on paper or
- information and knowledge just in one's mind
Throughout their life cycle means
- since their creation,
- also includes processing, storage, transmission
- until liquidation or disposal
The goal of information security is to reduce the risk of data being lost, misused, or compromised or altered. It mainly concerns the most important data (so-called primary information assets). In other words, essential collections of data and information for your company, such as:
- personal data stored in the HR application
- printed contracts, an overview, reports that can lie are on the table
- printed employment contracts that are in files in the filing system
- accounts and login information stored in the browser
- photos and other files stored on your computer
- business or other information obtained in personal dealings
What are the biggest threats to information security?
The most significant issue arises when your information is lost or misused. Key threats to information security include:
- Identity theft
- Theft of confidential information
- Deletion of key information
Common situations that can lead to these threats are:
- Failing to remove access for an employee who has left the company
- Disclosure of information by a departing employee
- Papers left unattended on a desk
- An unlocked computer
- Confidential information stored on a shared drive or unprotected cloud storage
- Freely accessible files in the office
- Various cyber attacks
The biggest threat to information security is people inside the organization.
Most problems are caused by insiders rather than external attackers.
- Employees, contractors, or others with authorized access to the company’s systems or physical premises can intentionally or unintentionally misuse their access, impacting the organization’s critical data or systems.
- Careless employees who do not adhere to organizational processes and regulations can cause numerous issues. For example, they might inadvertently email customer information to external parties, click on phishing links, or share their login credentials with others.
- Some individuals bypass security measures out of convenience or misguided attempts to increase productivity.
- Malicious employees may deliberately evade cybersecurity protocols to delete data, steal information for personal gain, disrupt operations, or otherwise harm the business
What information security must deal with
Information security encompasses the protection of data in applications and software, as well as information stored on paper. It also includes safeguarding the knowledge that employees might disclose.
Key areas of focus include:
- Protecting computers, data, and information transmissions (see cybersecurity)
- Securing printed information on papers, whether on desks, in files, or elsewhere in the company
- Safeguarding information that employees acquire, for example, during personal meetings
How to protect your information and data
The vast majority of information security threats are based on human frailty - it can be non-compliance with processes and principles, ignorance, loss of equipment or the intention to disclose information. Some of the information threats can be prevented by strict procedures and adherence to certain policies. Some information threats can be prevented by technical and IT measures.
1. Educate and increase the information literacy and awareness of your people about information threats
- Only people educated about possible information threats can prevent them
- Education and improving information literacy will help to eliminate a large part of unintentional errors, problems or accidents
- Basic principles include recognizing suspicious e-mails, links, and checking confidential documents in the workplace
- Awareness will also improve vigilance for possible theft of documents, computers or mobile phones in cars or other places
- Only people following good habits and processes can prevent some security incidents
- Include information about potential threats, frequent email tips, cyber attacks, or the importance of backups
- Train employees and contractors in security awareness before giving them access to your information
- Include such training for both new employees (see employee onboarding) and ongoing training for your current employees
2. Control your people's access to information
- Limit employees' access to only the specific resources they need to do their jobs
- You have to control who can go where
- It is important to have access allocation under control both when an employee joins and when there are changes in their job classification
- An employee's entry is important, and an employee's departure and the removal of all authorizations are no less important
- Set up contractors and other freelancers with a temporary account that expires on certain dates, such as when their contracts end;
3. Protect information from unauthorized people
- Access to desired information only to authorized persons
- Controlled access to systems or company premises
4. Back up your data so that you can restore it
- Having properly backed up data is one of the basic information security measures
- Paper documents are poorly backed up, one solution is digitization
- You can lose data not only as a result of a cyber attack, but also, for example, if you lose your computer
- You can also lose paper documents as a result of theft
5. Watch your devices, computers, mobiles and documents
- Keep an eye on your device and documents so that they are not lost or accessed by someone else
- Lock your devices, have passwords, PINs, or other authentication set up on your devices to log in
6. Have password policy in place
- Use strong, unique passwords
- A good password should be at least 8 characters long and contain both upper and lower case letters and numbers
- Establish a password policy as a matter of course for your employees
7. Introduce other restrictive technical measures, especially in large companies they are necessary
- Implement two-factor authentication that requires each user to provide additional identifying information in addition to a password
- Install employee monitoring software to help reduce the risk of data breaches and intellectual property theft by identifying careless, disgruntled or malicious users
Information Risks - What can happen to your information
Information security protects your sensitive information, but various risks can still occur:
- Complete Loss of Information: You might lose information entirely if you misplace a document, damage your mobile or laptop, or if someone steals it. In the best-case scenario, no one else has access to misuse it. For example, you could lose all your contracts or photos.
- Unauthorized Access: You still have your data, but someone else gains access to it without your consent. For instance, a cleaning service employee might read a document you left on the table.
- Theft and Misuse: If someone steals your phone and accesses its contents, you lose the data, and the thief can use it against you, potentially for blackmail