Ensuring information is secure in a company is challenging at the best of times. The risks are numerous and fluid. The impact of an information security breach to a company is subsequently high. Today we shall identify and outline the main information security challenges a company faces and how to deal with them.
The first common challenge is, not knowing who in the company uses what sensitive data. Not many organizations perform audits/inventories of sensitive data. An inventory should be initiated to develop a data flow map that charts sensitive data and employees who use the same. This data map will help in identifying the vulnerable points in your information infrastructure.
Another regular challenge is not protecting sensitive data appropriate to its value. Data generated and stored by any organization (or individual) has an intrinsic value. It is important for management to have a sense of the worth of sensitive data to the company. For example the recipes of a confectionary company can be considered very sensitive. It is therefore prudent to conduct a data asset valuation that evaluates and determines sensitive corporate data. It is then possible to apply justifiable information protection resources to these data.
The third challenge is the propensity of companies to embark on redundant information security compliance projects. Data security regulations are developed and implemented by various regulatory bodies for example the Communications Commission of Kenya (CCK). To reduce redundant compliance efforts it is crucial to develop a regulatory compliance grid. This grid indicates which specific data elements/databases are covered by information security regulations. The grid will facilitate the focusing of resources on protecting the really important data for example credit card data.
The final difficulty is the implementation of simple annual security awareness programs. Most companies conduct these programs to show their employees/contractors that they are serious about information security. Questionnaires are distributed; sensitization talks conducted and expansive warnings are dispensed. This is not enough. An information protection testing program should substitute these awareness programs. The main objective of protection testing programs is to test the data handling procedures and policies in the organization. Samples of employees/contractors who handle sensitive information should be targeted.
Identifying these common challenges is necessary for any information security conscious company.