23 Jun THOUGHTS ON INFORMATION SECURITY IN COMPANIES.
Today, on the International Chamber of Commerce’s Compliance Committee, a variety of topics regarding information and data security were discussed. Mainly, issues about risks, their causes and how to mitigate them.
One of the topics that struck me most about this matter is the general notion that, when it comes to discussing about information security or cybersecurity, we refer solely to “hackers”, “viruses” or “cyber attacks”. This concern took me to spell out that when it comes to information security, it does not consists merely about hackers or viruses, which, although they are real concern, do not add up to 25% of the security breach causes on companies.
According to a study published by the Berkeley Research Group (BRG) on the actual situation of cybersecurity in enterprises, the major source of data breaches and incidents are the employees and former employees of the organizations; which leads companies to take other kinds of actions to mitigate risks, since this information is mostly unknown.
As a recommendation for these companies, I expounded the need to raise awareness and train their employees on this sort of subjects, as well as the importance of developing information security and privacy policies that are congruent with each other, periodically verifying their compliance, and penalize the non-observance. Likewise, I stated the importance of classifying information (confidential, privileged, industrial secrets, among others), in order to determine what kind of measures should be implemented and at which extents, since vulnerabilities may decrease, but not disappear.
It is vital to emphasize that for all this variety of activities, the legal, compliance, IT, and all management areas should be involved.
The fact that one of the greatest vulnerabilities in companies regards the use of information technologies cannot be ruled out. Therefore, it is extremely important to supervise and regulate the usage of these tools, hence, generally, the misuse of a technological device or the ignorance of a policy, opens the company’s databases door to the hackers.
In conclusion, it is important that enterprises give priority to issues such as information security and personal data protection, additionally to allocating resources for an integral strategy, forasmuch as the economic and reputational impact of non-compliance or inapplicability of policies on the matter could derive in the corporation’s bankruptcy.
LUIS MARIO LEMUS RIVERO