When reflecting on the various clients I have worked with over the past year on information security and data privacy programmes, I realised there are five common challenges which impact on the ability to implement an effective information security management system and successfully reduce risk. What you may not be expecting, is that none of these challenges directly relate to technology, actually they are all cultural in theme. Yes, technology is a key element of a good information security defence but compared to the challenges below, it’s the easy part and often takes resources and focus away from the rest.   

1. Senior management buy-in 

2. People risk 

3. Change governance 

4. Third-party risk 

5. Continuous improvement 

Senior management buy-in 

The concept of information security and its associated risks seem abstract, and unlikely, to senior management teams, who we regularly hear questioning “why would we ever be a target”?  Using terms like ‘cyber’ security make it sound complicated and technical, thus making it more likely than ever that responsibility will be handed off to an IT team, with inadequate investment and little consideration of non-technical aspects.  Put simply – it’s not a priority. 

The key here is engagement because, without that buy-in, programmes will not have the investment they need in terms of resources, priority or visibility and awareness.  If senior management are paying lip service to information security, the employee base will copy.  Therein lies the real risk.  

People risk   

With an estimated 90% of personal data breaches in 2019* being caused by human error, technology is great but can only prevent so much.  The outcome of our social engineering testing is often a shocking realisation as to how easy it is to breach your people defences, something which is often neglected.   

Covid-19 has added an interesting additional challenge, in that the mimicking of behaviour and culture that comes from new starters seeing how things are done has been limited.   

Early and ongoing awareness, engagement and incentive are key – a one off training session and hundreds of lengthy policies sitting on an intranet are not going to cut it.  A holistic information security training and awareness programme which takes into consideration your specific risks as an organisation and prevalent learning styles among your people is a must.       

Change governance  

There is an obligation under the UK General Data Protection Regulations (GDPR), with its concept of ‘privacy by design’, to risk assess any change that may impact personal data ahead of making that change but I still seeing so many organisations failing to do so – it’s simply forgotten about or seen as an unnecessary overhead.   

I would argue that it’s actually just good practice. Legislative requirements aside, it’s so easy these days to start using free software, download apps, store documents in the cloud etc, that an organisation can very quickly lose control of its valuable information.  Many organisations work in a devolved structure which compounds the risk of inadvertent change negatively impacting on information security or data privacy.   

Managing change is simply about making sure that there is some oversight and that risks to information security and data privacy are identified and managed before they materialise.  This can be a lightweight process, which is simply an add on to existing internal approval processes, and arguably it can lead to a better thought-out change.      

Third party risk 

I have observed a general assumption being made that suppliers and partners must be GDPR compliant and have adequate information security in place because other organisations are using them.  I’m advising caution here!  It is worth remembering that one organisation’s information security requirements may be very different to another, depending on the nature of the organisation, its geographic location and associated risk and legislative requirements, the compliance requirements of the sector, and the nature of the third-party agreement and what they will have access to.   

Simply put, never assume!  Define your information security requirements and conduct due diligence to measure against them.  If a third party fails to meet these, then you have a risk assessment to hand with which to make an informed choice about your next steps. 

Continuous improvement 

A car manufacturer would never release a new model onto the road without putting it through extensive testing first would they?  They will also monitor a new release on an ongoing basis for issues experienced on the road, so that they know when to issue recalls, and to identify improvements for the next model.  On an annual basis we service and MOT our cars to ensure they continue to be roadworthy.  Information security and data privacy regimes should be no different, with the internal and external threat landscape constantly evolving.  Yet, I regularly observe little effort put into thoroughly testing, monitoring or improving, beyond basic technological controls, e.g. patching and an occasional penetration test.  Information security awareness, processes, and physical security measures should also be tested regularly. 

It is useful to audit your overall regime on an annual basis to identify improvements and to demonstrate progress – Cyber Maturity Assessments and GDPR Maturity Assessments support this goal.    

Conclusion 

External threats are becoming more and more advanced, technology is constantly evolving to take away some of the heat, but to keep information security risks at bay, you also need to have the challenges presented above in hand.  If you recognise any of these as being something you are losing sleep about, first take comfort in the fact that you’re not alone and second, why not get in touch?  We have many creative ways to help, and I’d love to know whether these challenges sound familiar to you.  

References 

*https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/