What Is Information Security
Let’s look at some statistics to understand just now large how large the cyber world really is and perhaps we can then estimate the magnitude of risk involved .
Year in year there is growth in the intemet usage penetration. People are becoming more aware, the world becomes smaller and more people are using networks in one format or the other to connect. The intemet is not a single network of nodes and connecting points, but a huge collection of loosely connected networks accessed by individual computer hosts. There are many ways people connect to the respective network using a computer, or as today not even a computer. It has become easier to access the network, using PCs, tablets, mobile phones etc. geographic boundaries are virtually nonexistent and people or organisations can access the internet any time of the day.
While access to networks has become easier and more convenient and faster, there is also the aspect of risk which has increased in direct proportion to the methods people connect. The risks range from data loss, data stealing, information being misused, abused. Information shared on a network is that much more at risk than a printout locked away. Hackers, intruders can sit somewhere else and access the information with a few clicks on their keyboards. They can tamper and steal information and basically do whatever they want with that kind of access.
Consider the penetration of the internet given above, it only proves that more the number of networks the more the chances of security breaches and harder the chances of finding the hackers. Effectively the whole world becomes a playing field for a hacker.
Sensitive data could be from the simplest information of a persons’ data, from his name, contact details, addresses, medical histories, credit ratings etc. to intel that is used by government agencies. However, the most vulnerable of systems are government organisations, banks, loan companies etc. Securing this information of this nature is always of prime concern and importance.
The CIA Triad
The three basic security concepts important to information on the internet are confidentiality, integrity, and availability. When information is compromised by someone not authorized to do so, the result is known as loss of confidentiality. There are some types of information wherein confidentiality is a very important attribute. This could include research data, insurance records, new product specifications, and corporate strategies. in some systems, there may be a legal obligation to protect the privacy of people like with banks, credit rating systems, credit card companies etc. Sensitive information can be corrupted very quickly when it is on an unsecured network. When this information is modified or changed, it is known as loss of integrity. This simply means that changes that are not authorised have been made to the information; this can happen by mistake or intentionally, of course we are more concerned with the intention. Integrity of data is particularly important for safety and data used for activities like electronic funds transfer, air traffic controlling and financial accounting.
When information is erased or becomes inaccessible to an authorised person, this is loss of availability. Availability is often the most important criteria in service-oriented businesses that depend on information such as the airline and hospitality sector. This also holds true of services like couriers where they track shipments online or in organisations where inventory data plays a huge role.
Problems faced by the corporate world
For over a decade now, companies and organisations have changed their form of communication and moved primarily towards online practices. From communication to data exchange, the entire system has gone through a colossal change. With increased dependency on network systems and quick and urgent communication systems, the threat to the security of all the information that passes through the system has also increased, by not just two fold, but of consistent and constant risk.
This increasing risk is the reason why it is imperative for organisations’ need to develop and implement stringent security policies and systems. All too often, this is one aspect that gets neglected the most and the importance of developing policies and training of employees in procedures in possible risks is overlooked.
Studies undertaken by the Computer Emergency Response Team/Coordination Center (CERT/CC), an Internet security institution, part of Carnegie Mellon University, have estimated that approximately 60 percent of security problems are due to passwords.
People generally select their names, their children’s names, pets’ names, and birthdays as passwords which can easily be broken into. Therefore employees should be trained in changing their passwords to something other than information that is personal.
Employees are rarely trained in protection against viruses, password protection, authentications, what to look for if there is suspicious blimp in their network that does not normally happen. Security measures like employee training are important to maintain a secure network system.
Hackers always aim to gain control or entry into an organisations network security by using a loophole, a weak link or a security gap they find. In fact any vulnerability they can find.
Why do Corporates need Information Security?
To prevent information security failures the most important protection is the constant deveIOpment, implementation, effective security policies. There are a few actions that can be undertaken by organisations to protect the hygiene and safety of the data and information.
– Train, inform and intimate employees of possible threats and how to avoid them or contain them if there is a threat or risk.
– The administrator must frequently back up data
– Update and constantly check all systems that have access .
– Control access levels for data and information .
– Sites that they can and can’t access, for example Facebook and other networking sites are considered the most vulnerable and easy access for hackers. And therefore are blocked in office premises .
– Screening and control of emails and other data flow .
– Some organisations do not allow pen drives, disk drives etc. in their organisations to avoid the compromise of data .
– Installing and running unknown or unsafe software and programmes in their systems.
While there may be some resistance from employees that may be faced by organisations, it is critical that policies are created and implemented.
Step 1 is to implement security policies that are effective and clearly understood by all concerned.
Step 2 is to ensure that data is safe and uncompromised and all vulnerabilities and weaknesses are plugged.
Step 3 is to ensure that all security systems are implemented and updated frequently.
Step 4 is to keep a regular check so if there is a breach of security, there are systems in place to circumvent further damage if any
Step 5 is to back up information and data, so any loss of data is not a complete loss.