While protecting your organisation against disasters and blunders is a necessary step, it’s not sufficient for solid business continuity. Security breaches are a threat to all businesses and public agencies. With information fast becoming one of the most valuable assets an organisation can have, the natural consequence is that it also needs to be protected against theft or sabotage. But where should an enterprise start? The fact is that while technologies can be complex and security measures for those technologies doubly so, much of the protection required concerns the attitude and behaviour of employees. So while you’re evaluating the latest in anti-virus software and Internet firewalls, remember the following key points as well.
- Have a clear information security definition and policy. Make sure it includes relevant details on what is to be considered as confidential information and how to work with and safeguard that confidentiality, as well as suitable information retention and destruction rules. That also means versions for paper-based and electronic information, with shredders, locked disposal containers, computer hard disk wiping and any other necessary items.
- Tell staff that information security is essential. People don’t always work this out for themselves. Use regular training and awareness campaigns to make the information security policy a practical reality.
- Make sure that management sets the example in how to handle confidential information properly. Top management must be the role model for this. Weakness at higher levels will make it doubly difficult to reinforce information security at lower levels.
Audit your information security on a periodic basis. Check awareness levels in staff, verify that the right solutions are in place and operational, and check for possible gaps or holes. And remember to think like an attacker, as well as like a conscientious business continuity or security manager. After all and as the saying goes, ‘it takes a thief to catch a thief’!