The first nine months of 2020 saw 2,953 publicly reported breaches — 51 percent more than the same period in 2019; by the end of 2020, another 1,000 breaches pushed the total to 3,950. On average, security professionals took 228 days to identify a security breach and 80 days to contain it.
These facts show that the risk of data breaches and information loss is painfully high for organizations. Data is a mission-critical asset. Organizations must protect it from hackers and data thieves.
Beyond the usual virus attacks and malware, human error can also result in the loss of sensitive data. One recent report found that in 2020, 38 percent of organizations lost sensitive information contained in documents or files because of careless employees. Power outages, software corruption, physical device theft, and natural disasters may also lead to data loss.
To protect their data, modern organizations must implement a formal, robust information security program.
What Is Information Security?
According to the National Institute of Standards and Technology (NIST), information security (also known as “infosec” or data security) is defined as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
Information security aims to secure the organization’s data while that information is stored (“at rest”) and while being transmitted (“in motion”).
Information security is not the same as cybersecurity, although the two terms are often used interchangeably. Infosec is about protecting information systems, while cybersecurity is a broader practice of defending all the organization’s assets — information assets being one among many. Cybersecurity includes information security, as well as application and network security.
Why Information Security Is Important
The American Cybersecurity Literacy Act
In June 2021 U.S. lawmakers introduced the American Cybersecurity Literacy Act (ACLA) to improve cybersecurity literacy and security awareness among the American public.
ACLA requires the National Telecommunications and Information Administration (the NTIA) to establish a public information campaign focused on cyber attack prevention and cybersecurity risk awareness, including subjects such as:
- Password hygiene
- Multi-factor authentication
- Risks of public WiFi networks
- Email phishing scams
- Mobile security
- Safety protocols and apps
- Defined strategies to mitigate the impact of cyber attacks
ACLA law is a welcome step in cybersecurity education. But organizations need to do more than merely educate their users to secure their information assets. They also need an up-to-date and comprehensive information security program.
The Need for Information Security
Information security practices reduce the risks of attacks in information technology systems.
These programs apply reliable information security controls to prevent IT systems (particularly those creating, storing, or transmitting data) from unauthorized access and other information security threats. It can also inhibit service disruptions and downtime via denial-of-service (DoS attacks) and other threats.
Without such a program, the organization may lose critical or sensitive information to hackers. Such events may lead to poor customer experience, affect the company’s reputation, result in regulatory fines, and even endanger the ability to retain customers or maintain business continuity.
Factors Influencing the Importance of Information Security
Strong infosec can reduce the risk of security incidents and data losses, assure business continuity, and protect an organization’s clients, business interests, and core business integrity. On those grounds alone infosec should be a priority.
Meanwhile, the regulatory landscape is rapidly evolving, with laws such as GDPR, HIPAA, and HITECH to protect data and assure consumer privacy. To maintain compliance with these laws organizations must protect their data; that drives even more need for information security.
Common Threats to Information Security
Organizations and their security teams should be aware of the many threats to their data, such as:
Malware and Ransomware
Malware is one of the most pervasive threats to an organization’s information assets. Malware can enter a target’s IT systems when a user downloads or installs infected software or executable files, or uses an infected removable media. Malware can also arrive through malicious emails (phishing) or compromised links.
Malware lets threat actors steal all kinds of sensitive data, including credentials, customer information, business secrets, and intellectual property. Ransomware is a type of malware that enables cybercriminals to encrypt a victim’s system. The attackers then demand a ransom to unlock it.
It’s crucial to implement different types of controls to prevent and mitigate malware attacks.
Third-Party Exposure
A recent report found that 51 percent of organizations surveyed had experienced a data breach caused by a third party. At least 74 percent of them said that the breach resulted from giving third parties too much access to data.
All organizations work with multiple third parties such as vendors, suppliers, contractors, and consultants to reduce costs, speed up operations, and accelerate go-to-market plans. But these third parties also increase the risk of information loss, theft, or compromise.
It’s vital to carry out regular vendor risk assessments and to implement a robust third-party risk management program to prevent these types of security incidents.
Social Engineering
Threat actors use social engineering techniques, such as phishing, to manipulate targets (usually employees) into ignoring security controls or revealing sensitive or confidential information.
Outdated or Insecure Software
Outdated software often contains security vulnerabilities and lacks the latest security updates or patches. These weaknesses open the door to cyber attacks and allow attackers to steal enterprise data. All software and operating systems should be regularly patched and upgraded to reduce such vulnerabilities and prevent these types of security issues.
Insecure Networks
Security tools such as firewalls, anti-virus software, endpoint detection and response (EDR), and security information and event management (SIEM) systems can protect information assets. A lack of such systems increases vulnerabilities and the risk of data breaches.
Another risk is a lax information security policy that allows employees to use insecure personal networks, bypass password security, or access resources they don’t necessarily need for their role.
Finally, employees’ lack of cybersecurity awareness and poor cybersecurity hygiene also increase information security risks due to insecure networks.
Mitigating Threats to Information Security
The below strategies can help organizations mitigate threats to information security.
Strong Cyber Defenses
In 2017, Equifax, a major American credit reporting agency, was the victim of a massive data breach. The incident affected more than 140 million customers and cost the company $1.4 billion in security upgrades. It was found to result from serious cybersecurity weaknesses.
To protect data and prevent Equifax-like incidents, solid cyber defenses and a comprehensive InfoSec program are critical. This program should include:
- Firewalls to block malicious external programs from accessing enterprise data
- Anti-spam, anti-virus, and anti-malware programs on all devices
- Automatic software patch management
- Periodic vulnerability scans and penetration tests to find and address infosec weaknesses
Encrypt Sensitive Data
All private, sensitive, and classified information must be encrypted to prevent threat actors from reading it. Data that you should consider encrypting includes:
- Personally identifiable information (PII)
- Confidential business data and business secrets
- Intellectual property
- Devices
- Wireless networks
Implement Strong Access Controls
Many data breaches result from weak access controls that allow bad actors to enter enterprise computer systems and steal data.
Strong, complex passwords should be used for every system or device to prevent such issues. A password policy should clarify how employees should create and store passwords, when to change passwords, and why they should not share passwords.
For added data security and access control, enterprises should implement multi-factor authentication.
Back Up Your Data
Regular backups can help the organization recover its data in case of a data breach. Backups also protect against human errors, hardware or power failures, and natural disasters. It’s best to implement an automated backup program to ensure regular, reliable backups.
A backup policy is also essential. It should clarify who will be responsible for backups, the backup locations, who can access them, and under what conditions.
Dispose of Data Safely
The infosec program should include processes for safe data disposal. Old devices, including hard drives and portable storage, should be completely overwritten, not just formatted. It’s also important to delete old files from cloud backups and to shred physical documents.
ZenGRC Helps Protect Your Organization From Threats
Modern organizations create, store and consume vast amounts of data to support their operations, serve customers, and meet compliance responsibilities. But the threat of data breaches is a constantly hovering dark cloud.
To prevent breaches and protect their information, every organization needs a robust information security program. A powerful platform like ZenGRC enables companies to strengthen infosec and to protect their critical information assets from threat actors.
To learn how your organization can boost information security, click here for a personalized demo of ZenGRC.