Information security is no longer the sole preserve of a company’s IT function. Properly executed, an information security strategy should be seen as a business wide enabler and not a business blocker. I use the term information security carefully; cybersecurity has become associated with sophisticated technological solutions for electronically stored data – more on that later.

A company’s leadership must elevate information security to a key agenda item at board meetings, even if you are the only one present at that meeting – it’s especially critical for small and medium-sized businesses. My hope is that this article highlights some simple yet effective measures you can employ to strengthen your organisation’s information security.

Not that long ago, information security was considered an issue that could be solved by technology and therefore belonged to the IT department. Seldom would the C-suite become involved in such a technical issue. However, Harvard Business Review research has shown that the majority of information security breaches are caused by human error or malfeasance. This is a little know yet powerful fact and tells us that the solution to improving information security starts with a company’s employees, not its computers.

Information security is a big problem for business; As per Boston Consulting Group Study, it is a $445bn problem that is only growing. So what should you do to protect your company?

Taking a strategic approach to information security involves three pillars, all of which have to be executed in tandem. Often companies focus on the last pillar, which is a big mistake and can cost dearly.

Three pillars of information security

   1. Creating an information security culture – Most businesses I have interacted with – both large and small – have a lackadaisical culture regarding information security. This can be remedied quickly and easily with basic a clear desk policy and clearing the printer log after. The CEO doing random spot checks against company policy is also particularly effective. These simple steps can start a company on the journey to creating an information security-first mindset.

   2. Information security policies and procedures – What policies and procedures do you have in place to ensure basic hygiene factors are adhered to? Do you integrate information security breaches into disciplinary procedures or embed information security from day one for new joiners e.g. the signing of the company’s information security policy before starting work. As an aside, a company’s information security policy must be aligned with its company’s strategic goals. Having new joiners sign the company’s information security policy prior to starting their first day is a great way to ingrain the importance of information security.

   3. Information security technological solutions – now that we have addressed (at a high-level) the most critical element of information security we can turn to the more classical approach to protecting a company and its information assets:

              a. Endpoint protection: it is now relatively cheap and easy to encrypt computer endpoints to ensure only company approved device are connected to a company computer.

              b.Mobile device management: this can be installed on company computers and mobile phones. Being able to control a device’s information security ecosystem is of critical importance in protecting a company’s information assets. Employees can often do unintended harm by using work devices to send seemingly innocuous messages to those outside of the organisation.

             c. Up-to-date anti-virus protection: perhaps the easiest of all, ensure that all machines have the latest antivirus protection software installed and that all patches and updates are being consumed by the end user.  

In tandem these three pillars can form an effective first line defence, however, information security is evolving at such a speed it must be monitored and refined frequently across all pillars.  

The boardroom is often the last to know when an attack or breach happens; it should be the first to know and the first to set the company’s culture and strategy towards information security.