In current technology driven world, Information Security for any Enterprise is becoming a huge challenge as in recent past cyber-attacks/Ransomware outbreaks like WannaCry, Petya etc which created huge loss to enterprise communities.
Though enterprises have their own set of controls to overcome these attacks, in my view following areas need to be relooked in detail and prioritized by the management...
1. People
2. Process
3. Technology
As per the industry findings, most of the information security breaches happened due to breach by internal stakeholders. This may be due to lack of information security awareness among the various human resources (employees, contractors, vendors etc) who are part of organization’s ecosystem. It is leadership team’s responsibility to inculcate "security first" vision and showcase their sensitivity towards Information Security breaches. Sometimes a simple campaign like "clean desk initiative" may have great impact on controlling information breach.
Second most important area is processes that organization imparted to handle Information security. Though most of enterprises have stringent data handling processes, still quite a lot of organizations do not have sufficient processes defined to handle critical information which can reach to miscreant’s hands. Well defined processes on secure way of information handling will surely protect organization’s security risks.
Usually a myth prevails in lot of organizations that Information Security is only IT function’s responsibility by implementing latest technology tools/infrastructure. This culture need to be changed to "Information Security is everyone's responsibility" as whatever technology solutions you implement, the risk with people and processes are still the same. Nowadays organizations are moving towards cloud infrastructure adoption to leverage the cloud provider’s security controls which are known to be stronger and agile to security threats from different sources.
Though Information security falls under everyone's responsibility, IT function plays a crucial role in preventing Information security breaches by enhancing/implementing controls with apt technology tools and infrastructure. It is always advisable to go with Org wide third party security assessments through ISO/IEC 27001 standard to get a 360 degree view on current controls and to identify gaps that may adversely impact on organization’s security controls. Most of the organizations adopt multi layered data security approach at various levels of touch points in Organization wide security echo system
• People Level: Defining stringent ISMS Policies, Procedures and creating awareness to all stakeholders by periodic Security training with mandatory assessment test
• Physical Security Level: Door/ Biometric Access Control, Facility Security Surveillance etc
• Perimeter network security Level: Network Firewall / Switches, Intrusion Prevention System (IPS) etc
• Internal Network Level: Web content filtering, Network Data Leak prevention, VLAN Partitioning / MAC binding etc
• Host Level: End Points (Laptops/Desktops) and Server Protection by implementing Anti Virus, Encryption, Data Leak Prevention, Privileged User Access Control etc
• Application Level: Role Based Access/Single Sign-on, Vulnerability Assessments/Penetration Testing (VA/PT) and Code Scanning etc.
