Lessons learned from WikiLeaks: What is exactly information security?
Nowadays WikiLeaks is a hot story for a good reason – it is not very common for confidential documents of the world’s most powerful government to be published on the Internet. And some of these documents are, to put it mildly, embarrassing.
Here I am not going to write about whether it was legal for WikiLeaks to publish such information or not, whether the information should have been made public because of the public interest or not, what is going to happen to its founder (at the time of writing this article Julian Assange was in custody) etc.
The problem is – if WikiLeaks is going to be shut down, a new WikiLeaks will appear. In other words, the threat of leaking information to the public is constantly increasing. (By the way, before he was jailed, Julian Assange had announced he would publish incriminating information about a major U.S. bank and its malpractice.)
I want to touch here on the corporate point of view – what if we are the next target of WikiLeaks or its clone? How to ensure the security of our information and prevent the damage of such a large incident?
But how does information security look like in practice? Let’s take a simple example – for instance, you leave your laptop frequently in your car, on the back seat. Chances are, sooner or later it will get stolen.
What can you do to decrease that risk? First of all, you can make a rule (by writing a procedure or a policy) that laptops cannot be left in a car unattended, or that you have to park a car where some kind of physical protection exists. Second, you can protect your information by setting a strong password and encrypting your data. Further, you can require your employees to sign a statement by which they are legally responsible for the damage that may occur. But all these measures may remain ineffective if you didn’t explain the rules to your employees through a short training.
So what can you conclude from this example? Information security is never a single security measure, it is always more of them together. And the measures are not only IT-related, but also involve organizational issues, human resources management, physical security and legal protection.
The problem is – this was an example of a single laptop, with no insider threat. Now consider how complex it is to protect the information in your company, where the information is archived not only on your PCs, but also on various servers; not only in your desk drawers but also on all your mobile phones; not only on USB memory sticks but also in the heads of all employees. And you may have a very disgruntled employee.
Seems like an impossible task? Difficult – yes, but not impossible.
How to approach it
What you need to solve this complex problem is a framework. The good news is that such frameworks already exist in the form of standards – mostly widespread is ISO 27001, the leading international standard for information security management, but there are also others – COBIT, NIST SP 800 series, PCI DSS etc.
I’m going to focus here on ISO 27001 – I think it gives you good ground for building the information security system because it offers a catalogue of 133 security controls, and offers flexibility to apply only those controls that are really needed in relation to risks. But its best feature is that it defines a management framework for controlling and directing the security issues, therefore achieving that security management becomes a part of the overall management in an organization.
In short – this standard enables you to take into account all the information in various forms, all the risks, and gives you a path to carefully resolve each potential problem and keep your information safe.
Consequences for business
So, should the corporations be afraid that their information will leak to the public? If they are doing something illegal or unethical, they certainly should.
However, for companies operating legally, if they want to protect their business, they cannot think only in terms of return on investment, market share, core competence, and long term vision. Their strategy must also take into account the security issues, since having insecure information can cost them much more than for example a failed launch of a new product. By security I mean not only physical security because it is simply not enough anymore – the technology makes it possible for information to leak through various means.
What is needed is a comprehensive approach to information security – it doesn’t matter whether you use ISO 27001, COBIT or some other framework, as long as you do it systematically. And it is not a one-time effort, it is a continuous operation. And yes – it is not something your IT guys can do alone – it is something the whole company has to participate in, starting from the executive board.