Information security: Why is it so important and what can you do?
This post is an English translation of my original Dutch post on BCT's website. This post has been generalised and actualised with respect to recent developments and events. It also leaves out some BCT specific details.
Information security is best achieved by privacy by design as well as security by design.
In order to prevent the continually increasing cybercrime from taking the upper hand, information security must be taken seriously. Otherwise, there could be dire consequences. Blackmailing, identity theft, data breaches and denial of ICT-services have a significant impact on the national and international economy. In this post I'd like to explain why information security is so important, but even more importantly: which kinds of action organisations can undertake to improve their information security in order to turn the odds in their favour in the battle against cybercrime.
Cybercrime keeps increasing
Nowadays it's like not a single day goes by without a hack or a data breach in digital systems. Some examples are as follows:
- Marriot Hotels’ systems have been hacked, exposing personal and financial data of up to 500 million guests, which goes as far back as 2014.
- Users of fitness trackers, such as MyFitnessPal and Strava, have been victim to information exposure by means of hacking, revealing personal data, and unintentional usage, revealing military data, respectively.
- Ransomware, which is considered one of the most dangerous cyber threats, encrypts files and only decrypts these files in exchange for monetary payment (if it does that at all).
It's becoming increasingly more easy to break into a digital system at multiple places at the same time, for instance by exploiting a security vulnerability in a software product which is used worldwide. The poignant thing about this is that these cyber threats are, in most cases, easily prevented by employing simple measures.
Usually, cybercrime has a financial goal, namely obtaining as much money as possible. This is extremely inconvenient for companies and their customers. However, the damage that's inflicted upon is not only materialistic, but also immaterialistic, for instance when the image of companies and the trust people have in companies are affected when these security breaches become publicly known (which is a requirement as per the General Data Protection Regulation ( GDPR), see also the paragraph Legislation). In extreme cases this may lead to bankruptcy.
Information security is more than just technology
When one thinks about information security, one leans quickly toward the technical side of it. However, that's just a part of the whole story. According to the ISO 27001 guidelines there are also organisational and procedural measures next to technical ones in order to implement proper information security. These measures must be based on risk analyses or on legal obligations.
The national governments and the European Union increasingly more value the protection and proper processing of personal data as well as free flows of personal data within the Union. Therefore, the European legislation – consequently, the national legislation of the European member states too – changes along with it. As from 25 May 2018 the General Data Protection Regulation ( GDPR) has taken effect, meaning that organisations in the European Union must adhere to it and implement proper measures in order to fulfill the data processing rights of the European citizens as well as protect their personal data. To achieve that, taking into account the three key security principles Confidentiality, Integrity and Availability (also known as the CIA triad) is hereby essential.
Organisational and procedural measures based on proper risk analyses
By implementing an Information Security Management System (ISMS) organisational and procedural measures can be taken in a structural manner. It's a set of organisational policy guidelines which strictly require information security in the implementation of business processes. A certification in ISO 27001, preferably together with a certification in ISO 9001 for proper quality management (“say what you do, do what you say, and prove it”), enables an ISMS in an orderly manner.
By working this way, appropriate security measures can be implemented in business processes, based on proper risk analyses. It's also crucial that these measures are evaluated periodically in order to guarantee their effectiveness and efficiency on the long term, taking into account the rapidly changing markets as well as the currently enforced legislation.
It's possible to include the High Level Structure ( HLS) of the ISO 9001:2015 and the ISO 27001:2013 standards as well. HLS makes the relationship between a management system standard and the strategic goals as well as the operational processes of an organisation evident. It also helps to keep the applied terminology unambiguous. This simplifies the unification of several management system standards greatly. It's a matter of time before new ISO standards also apply the new High Level Structure.
Technical measures against cybercrime
There are a number of types of technical measures: preventive ones, detective ones, repressive ones and corrective ones. Penetration testing allows for an effective application of those technical measures. After all, attempts to break in must be prevented (preventive measures) and such attempts must be detected by means of active monitoring and alerting (detective measures). Moreover, consequences of a successful break-in must be minimised (repressive measures) and even reverted (corrective measures).
Technical measures at infrastructure and software level should be employed from outside to inside: perimeter, network, platform, application and finally, most importantly, data. This is the principle of the Layered Security Framework, more specifically the one from Alex Berson and Larry Dubov as described in their book Master Data Management and Data Governance. See also Figure 1.
It's recommended to take security guidelines from the national NCSC (in the Netherlands it's the Dutch NCSC) and OWASP into account. The software development process should implement the principles of Secure Software Development, such as the ones from the Dutch Centrum Informatiebeveiliging en Privacybescherming ( CIP).
Some of the most recommended technical measures are as follows:
- Encryption of the data in transit by means of Transport Layer Security ( TLS), the successor of the now deprecated Secure Sockets Layer (SSL). TLS 1.3 (eventually 1.2 too for backwards compatibility) is recommended.
- You can test your web application for proper TLS with this tool.
- Encryption of the data at rest by means of database encryption (including data encryption by the application software).
- Enforcement of security headers in web applications which control the functionality and behaviour of webbrowsers in order to prevent abuse inside the web application.
- You can test your web application for proper security headers with this tool.
- Two-Factor Authentication (a subset of Multi-Factor Authentication ( MFA)) or even (preferably) Universal 2nd Factor ( U2F) as well as authorisation: Who are you and what are you allowed to do? This should be the primary and central component in all layers of the software by means of standard Identity and Access Management ( IAM) software.
- Restricted access to data for users by applying data classifications, where terms like “public”, “confidential” and “secret” are common. More specifically, this is the concept of data visibility.
These technical measures implement two of the key security principles, Confidentiality and Integrity.
Finally, there is also the matter of physical security. This is about securing, for instance, the building, server spaces, network cables, switches and routers. Even the maximum range of a wireless connection is part of it.