Information Risk is NOT Just an IT Issue

Just as your information assets are many and varied, your information risks are too.

Although secure information systems are of huge importance, technology is not the whole story. Not all information is stored on computers – it is physical too: it is filed in cabinets, carried around in folders, taken outside your office, it’s in peoples’ heads. It all needs protecting regardless of the medium it is stored on.

“If I want to know the risks to my information I ask my IT guy.”

The threats aren’t purely from cyber crime. Environmental incident, loss or physical theft are less newsworthy but equally dangerous and in some cases more likely. The human factor makes any business particularly vulnerable.

If you look at our recent post on the Top Ten Information Security Breaches , you’ll see a mix of scenarios – some arising from cyber attack but others due to a lack of physical controls or basic human error.

“What every organisation needs is parity and balance;the right mix of physical, procedural as well as technical controls – in line with your business objectives.”

Dave James, MD of Ascentor

Take a holistic view of information risk

An organisation’s information assets range from personal information on your customers to confidential company information and intimate staff details. Information risk needs strategic thinking and a wide view.Risk management is not about avoidance but balance: the right mix of physical, procedural as well as technical controls – in line with your business objectives.

Effective Information Risk Management is about identifying your most important assets and the threats and vulnerabilities you face as a consequence of the company doing business. What is the impact – can you live with resultant risk? If you cannot, take action to reduce the vulnerability or the impact. This action could be a roadmap, a strategic intent to solve the problem and reduce exposure over a period of time. In case of an incident, be prepared – have a plan for how you operate when your information is unavailable.

We strongly advise any Board of Directors to take a holistic approach to Information Risk Management – right across the business: physical, procedural, personnel and technical. Task each Board member to go and investigate risk in their area.

Which of your gates is open?

You’ll find more information on this holistic approach to Information Risk Management plus questions for each member of the Board in our discussion paper: ‘The Board’s Guide to InformationRisk’ .

Other posts you might like:

 

11 thoughts on “Information Risk is NOT Just an IT Issue

  1. This is very useful and often overlooked. I totally agree with your article – information security is most often dumped on IT who, as you would expect focus on technical controls only. This leaves organisations vulnerable when they think they have the risk covered. Thanks for sharing your view.

  2. Sam McFadden says:

    Interesting article. Very useful.

  3. So true. As a marketer I’m highly conscious of things like data security. Even leaving an event attendee list with contact details hanging around unattended can have you lose key customer data. And, of course, breach their privacy and the Data Protection Act. And, there’s nothing an IT bod can do about bits of paper inadvertently left lying around!

    • Dave James says:

      Thanks Sam, Glad you found the article interesting. I am confident this is a subject more companies will be thinking about this year.

      James, Bryony – you have hit the nail on the head; in our ever more technology driven world it is easy to focus our attention only on information stored in the plethora of electronic devices at our finger tips. The rise of the term ‘cyber security’ only reinforces the view that responsibility for information security resides within the IT department. The reality, as demonstrated by the senior civil servant who left very sensitive UK government information on the train (http://news.bbc.co.uk/1/hi/7449255.stm), is that paper is still used to ‘store’ company information. If you want to protect sensitive information, regardless of its storage medium, you need a holistic view of the business, not one focussed entirely on IT.

  4. […] Information risk is not just an IT issue Tagged: Benefits of Information Risk Management, Effective Information risk management, Importance of Information Security Published: February 23, 2012 in Information Risk Management Comments: […]

  5. […] Information Risk is NOT Just an IT Issue […]

  6. […] Information risk is not just an IT issue Tagged: Hacking, Strong passwords, Website security, WordPress security Published: June 28, 2012 in Cyber threat, Information Risk and Technology Comments: […]

  7. […] / Why Information Security Will Rocket to the Top of Your ‘To Do’ List in 2012 « Information Risk is NOT Just an IT Issue What Every Government Supplier Needs to Know About the UK Cyber Security Strategy […]

Comments are closed.