Nowadays WikiLeaks is a scorching story for motive – it isn’t quite common for confidential paperwork of the world's strongest authorities to be printed on the Internet. And a few of these paperwork are, to place it mildly, embarrassing.
Here I’m not going to write down about whether or not it was authorized for WikiLeaks to publish such info or not, whether or not the data ought to have been made public due to the general public curiosity or not, what’s going to occur to its founder (on the time of writing this text Julian Assange was in custody) and many others.
The downside is – if WikiLeaks goes to be shut down, a brand new WikiLeaks will seem. In different phrases, the specter of leaking info to the general public is consistently rising. (By the way in which, earlier than he was jailed, Julian Assange had introduced he would publish incriminating details about a significant US financial institution and its malpractice.)
I wish to contact right here on the company standpoint – what if we’re the subsequent goal of WikiLeaks or its clone? How to make sure the safety of our info and forestall the harm of such a big incident?
But how does info safety appear like in apply? Let's take a easy instance – as an illustration, you allow your laptop computer continuously in your automobile, on the again seat. Chances are, ultimately it can get stolen.
What are you able to do to lower that threat? First of all, you can also make a rule (by writing a process or a coverage) that laptops can’t be left in a automobile unattended, or that it’s a must to park a automobile the place some sort of bodily safety exists. Second, you possibly can shield your info by setting a powerful password and encrypting your information. Further, you possibly can require your staff to signal a press release by which they’re legally accountable for the harm that will happen. But all these measures might stay ineffective in case you didn’t clarify the principles to your staff via a brief coaching.
So what are you able to conclude from this instance? Information safety is rarely a single safety measure, it’s all the time extra of them collectively. And the measures should not solely IT-related, but in addition contain organizational points, human assets administration, bodily safety and authorized safety.
The downside is – this was an instance of a single laptop computer, with no insider risk. Now think about how complicated it’s to guard the data in your organization, the place the data is archived not solely in your PCs, but in addition on varied servers; not solely in your desk drawers but in addition on all of your cell phones; not solely on USB reminiscence sticks but in addition within the heads of all staff. And you might have a really disgruntled worker.
Seems like an not possible process? Difficult – sure, however not not possible.
How to strategy it
What that you must remedy this complicated downside is a framework. The excellent news is that such frameworks exist already within the type of requirements – principally widespread is ISO 27001 , the main worldwide customary for info safety administration, however there are additionally others – COBIT, NIST SP 800 collection, PCI DSS and many others.
I'm going to focus right here on ISO 27001 – I believe it offers you good floor for constructing the data safety system as a result of it gives a catalog of 133 safety controls, and gives flexibility to use solely these controls which can be actually wanted in relation to dangers . But its finest characteristic is that it defines a administration framework for controlling and directing the safety points, due to this fact reaching that safety administration turns into part of the general administration in a corporation.
In brief – this customary lets you consider all the data in varied varieties, all of the dangers, and offers you a path to fastidiously resolve every potential downside and preserve your info protected.
Consequences for enterprise
So, ought to the companies be afraid that their info will leak to the general public? If they’re doing one thing unlawful or unethical, they definitely ought to.
However, for firms working legally, in the event that they wish to shield their enterprise, they can not assume solely by way of return on funding, market share, core competence, and long run imaginative and prescient. Their technique should additionally consider the safety points, since having insecure info can price them far more than for instance a failed launch of a brand new product. By safety I imply not solely bodily safety as a result of it’s merely not sufficient anymore – the know-how makes it doable for info to leak via varied means.
What is required is a complete strategy to info safety – it doesn't matter whether or not you utilize ISO 27001, COBIT or another framework, so long as you do it systematically. And it isn’t a one-time effort, it’s a steady operation. And sure – it isn’t one thing your IT guys can do alone – it’s one thing the entire firm has to take part in, ranging from the chief board.