In the beginning of this year the University of Maastricht University made the headlines; The university was paralyzed by a hack and eventually decided to pay a ransom. Cybercrime has risen in the last couple of years and is fastly adapting to the situation right now where many people work on remote. However, cyber criminals are not the only ones who pose a risk to business operations, for example, a fire in the server room or an employee who accidentally causes a data breach can lead to far-reaching consequences. What can you do as an organization to minimize these risks?
DNB’s assessment framework is a good basis for information security
In order to create a good foundation for information security, the De Nederlandsche Bank (DNB) has developed an assessment framework that can be used as good practice by financial institutions. As an organization, this is a good starting point: think critically about which risks you are applicable to your organisation, which risks you wish to accept and which risks you want to minimize. Draw up an information security policy and also record where the tasks and responsibilities lie. Having put this on paper the next step is to make it work in practice.
Information security from paper to practice
1) Be critical of yourself as an organization
Organizations often have too rosy a picture of how information security is arranged. Are the backups of the critical systems made according to plan? And should a backup fail, when will you be informed about this? Does the strict password policy apply to all employees or are there exceptions? As an organization it is important to ask such questions, to zoom in on the exceptions and the risks thereof and to demonstrate this. When proof has to be provided, it often comes up that it is slightly different than previously assumed.
2) Ensure a supported risk culture
Employees often know quickly enough how to bypass the security steps if this is experienced as too cumbersome or difficult. It is important that employees are not only aware of what is expected of them in the field of information security, but also understand why they have to do it. Unfortunately, in practice you often see that the awareness is fully and exclusively invested in employees with a risk function and that they quickly become a voice crying in the desert. Higher management must therefore clearly convey that information security is not something you do next to your day-to-day job, but is an important part of your work. IG&H has developed a unique method for the Plan-Do-Check-Act Cycle to ensure that the adjusted processes and risk thinking are properly secured in the organization.
3) Technology is your best friend
Good technological solutions are crucial in limiting risks. If it is user friendly and reliable it can relieve your employees. It is important here that you have clear view of the requirements you need and which action you will take if it is not technically possible to achieve this. Also, be aware of the exception to the rule and what risks this entails. Finally, use the information available in the technology and monitor it actively.
As can be seen from above, getting information security in an organization properly organized costs both time and money. However, the costs if you do not invest in this as an organization can turn out to be many times greater. For example, the University of Maastricht has paid almost 2 tons in ransom and British Airways had to pay a record fine of 204 million euros due to a data breach. As an organization, you also have to catch up in a short time. This is time consuming and a heavy burden on the organization. In short, prevention is better than cure.
Would you like to know more about information security or how we as IG&H can help your organization? Then do not hesitate to contact us!