The expression above by Johan Cruijff, ‘Winning requires all of us’, applies to information security as well. As an organization, you want to get a grip (and keep it) on the information necessary for the organization. That can be complex, especially as many employees are now working hybrid, and as we are embracing flexible working places more and more. After all, pre-Corona we were mostly working in-office, relatively secure on the corporate network, with a small chance of third parties watching along on your screen. In the present, we regularly work on-site at a client’s place, or at home via a private WiFi or VPN connection. As a company, you have no idea who else is on the home network, and how the network is secured. Sensitive data might be getting printed, and subsequently ends up in the paper bin in the street, instead of a locked container. We do not know which roommates or neighbors can listen in on confidential conversations. In short: unless specific measures have been taken, we now have less of a grip on where our data is, and how it is being processed. And precisely this is essential for information security.
Taking stock and classifying
Security starts with determining what data you have, where it is saved, who can access it, and what that data or information is worth. This assessment covers the core of security standards, such as ISO 27001 or NEN 7510, but also the core of the GDPR, and soon NIS 2. Based on that assessment, we determine how to secure information and how sensitive or confidential information is, after all. In fact, you cannot prescribe employees how to deal with confidential information if they do not know what information is confidential. In reality, every organization that begins with information security starts it off by taking stock of its information, and then classifying it.
Humans as critical factor
Process-wise, the first step has been taken: the information has been assessed and classified. This does not mean however, that employees instantly know how to deal with that information. In addition, a lot of organizations deal with employees that do know how to act, but in practice make different choices, sometimes.
Looking at data on cybercrime and data breaches, you can conclude that human activity is at the basis of the majority of the incidents. Excel files that are accidentally sent to the wrong person, people clicking phishing links, being duped into paying invoices while bypassing standard procedures: accidents will happen. At the same time, these kinds of accidents imply that we should inform employees a lot better about two things: not only should employees recognize the information’s value, they should also know the rules on how that information should be processed. A general awareness campaign in which you are warned for ‘sensitive data’ is (evidently) insufficient. It would be better to explicitly label information as confidential, and to establish how confidential information should be communicated. ISO 27001, for example, requires this approach.
Despite you being fully in control in the area of technology and process design, without information management at the base, it is still too easy for the employee to make mistakes. Furthermore, the organization is not isolated, and thus vendors and supply chain partners need to able to understand how they should handle your information. If the employee, partner or client recognizes the exchanged information’s value, it is much more likely for them to join in protecting it by taking the right measures.
Good information management is part of having ‘the base in order’ in information security. If the way information is classified, saved and should be communicated is clear to everyone, we can all work together on security. ‘Winning requires all of us’ then does not just mean that awareness needs to be aimed at the employees’ actions, but also at the organization itself – every department should become aware of the worth of the information passing through its hands, after all.