Correct Your Posture: Information Security Essentials for Budget-Minded Businesses — Part 1 of 2

The IT Security fears that keep companies up at night are particularly pressing lately in the area of information security — commonly referred to as infosec — which primarily revolves around securing data from unauthorized access. An ever-expanding attack surface, novel threat types, high-profile data breaches in the news and new privacy legislation like GDPR and CCPA have many companies questioning whether they have their infosec act together.

In an exacerbating twist, the escalating squeeze on data security and compliance comes at a time when data analytics to improve marketing, sales and product strategies is all the rage. Many are suddenly unsure about what is okay and not okay in terms of customer data use considering the new privacy legislation. Needing kid gloves to handle data isn’t just the problem of companies in sectors like healthcare and financial services anymore. Thanks to these trends, just about everyone’s grumbling about it.

It all adds up to a high-anxiety atmosphere for all companies with any customer data in their possession, especially if a staff of scarce, expensive security professionals isn’t in their budget. How can they make sure they’re in compliance with security and privacy standards to avoid ruinous penalties and damage to their reputations without breaking the bank?

What is information security?
IT security, or cybersecurity, is the entire body of practices around securing and defending IT assets. Since IT stands for information technology, people may easily confuse information security with IT security, thinking it’s a sort of abbreviated form with technology omitted. In fact, information security is its own distinct category under the broader umbrella of IT security. Information doesn’t imply all things to do with computers, but rather actual data, like people’s names, social security numbers, health records, credit card numbers and so on.

Along with infosec, other categories under the IT security rubric include network security and application security, for example. They are bound to sometimes overlap since data, networks and applications aren’t neatly siloed, but often work in tandem to produce certain results for end users.

The purpose of infosec is to prevent the loss, theft, misuse or improper modification of an organization’s data while at rest or in transit from one machine or location to another. Its most important elements are: confidentiality, integrity and availability. These make up what practitioners refer to as the CIA triad.

Confidentiality
Confidentiality ensures that data is accessible only to authorized individuals. To make sure data is confidential, companies must be able to identify anyone trying to access it and block access to the unauthorized. To accomplish this, they may employ encryption, passwords, authentication processes, etc.

Integrity
Maintaining the integrity of data demands that it be kept in its correct state, unmodified either by accident or on purpose. Good data confidentiality measures, obviously, go a long way towards preventing malicious data modifications since bad actors can’t modify what they can’t access. Further, things like version control software, frequent backups and checksums can help prevent modification and restore to a previous state and prove integrity of data for non-repudiation purposes.

Availability
Just as data must be sealed away from unauthorized users, it must be always readily available to authorized individuals for various uses. Ensuring availability requires provisioning of network and compute resources proportionate to data volume as well as adequate backup and disaster-recovery policies and tools.

Individual organizations may apply principles of the CIA triad in different ways to serve their unique information-security priorities. For example, a healthcare provider may value confidentiality highest, whereas a bank or other financial institution may take stronger integrity measures in order to fight attempts at fraud. A company’s whole set of infosec guidelines and practices make up its security policy. This policy informs its choices around everything from employee responsibilities to the selection of technology tools.

Short staffed, high anxiety
Companies that deal with clients in heavily regulated sectors — like healthcare, insurance, financial services, legal, education, utilities and transportation — have long faced stringent infosec requirements.

Keeping abreast of updates to regulation and implementing changes to security policy in order to adjust to them is crucial to avoid running afoul of regulating bodies, paying heavy penalties and losing business. But it can be challenging — especially for small to medium sized businesses (SMBs). See the chart below for the most common types of data accessed in security breaches.

Many SMBs may struggle with infosec due to the difficulty and cost of hiring a security staff. One oft-cited report predicted that by next year, there will be 3.5 million unfilled security jobs globally. And a 2019 survey showed that infosec pros topped the list of employees Chief Information Officers wished to hire. The Bureau of Labor Statistics puts the median information security analyst’s salary at $99,730, easily outside the budget of many businesses.

If the skills shortage wasn’t bad enough, all types of companies may now be tasked with securing an expanded surface attack area thanks to distributed IT, connected IoT devices and remote work. Also, initiatives involving analytics and AI may call for certain uses of customer data that require companies to reassess guidelines around access, security and privacy.

Some companies are so intimidated by new privacy legislation, they’re anxious that they can’t afford the risk involved in storing and using customer data at all. GDPR, for example, a set of laws governing use of European citizens’ data, may levy fines as high as 4% of a company’s annual revenue — enough to seriously hurt a lot of businesses. Reports vary, but compliance rates generally appear too low for comfort. A Capgemini study from last year put the figure at just 28% of companies claiming to be fully GDPR compliant. And a majority of those now say they fear they can’t stay compliant, according to some research. Experts predict a wave of similar laws in the US and elsewhere. In fact, we already have a major one in the California Consumer Privacy Act (CCPA).

At CMHWorks, we offer these and additional services to enable our clients to comply with growing infosec demands. Contact us today to learn more about how we can help your organization prepare for its next security audit or just let you sleep better at night.

In Part II of our article, we will examine the costs of creating and maintaining an effective information security posture. Stay tuned and make sure to follow us!