Taking information security seriously at all levels

Keeping crucial enterprise data secure remains a concern for everyone in business today – or at least it should be.

Paul Delahunty, information security officer at Stryve, said that despite Ireland’s well-deserved reputation for being at the forefront of digital developments, there was a divide in the country: some companies, typically larger ones and certainly the multinationals, are working hard to keep up to date with the latest techniques in information security.

Others, however, especially at small and medium enterprise (SME) level, are struggling.

“There are some questions we should all be asking, such as ‘Why are SMEs finding it difficult in this area?’ and ‘If Ireland is a digital economy, why aren’t we taking it more seriously’,” Delahunty said.

He also said he thought it was likely that smaller businesses could become a significant focus of bad actors seeking easy targets.

“One of the trends I foresee in the next 12 to 18 months is that there will be more of a focus on SMEs. The big places have, pretty much, got their security in place,” he said.

For SMEs, he said, the problem was a classic one: firstly, some simply do not know where to turn for help. Secondly, information security is often seen as being outside the core of the business.

“Even if they could deal with it, it’s not their area. Too many people still think of information security or cyber security as an IT thing which is not what the business does,” Delahunty said.

Nevertheless, he said, it was essential, like many other business functions.

“You’re not an accountant, but you still have someone do your books. If you want to have a business online, which most businesses do today, you need to have information security in place,” he said.

The first thing to do is to assess the risk inherent in whatever data a business collects, and this will naturally differ depending on the nature and scope of the business.

“A lot of businesses don’t even think about it. If you’re a one-man band at least assess the risk: ‘I am not taking in customer details, I don’t store customer accounts, OK’. But at least consider their risk,” Delahunty said.

“If you spend even ten minutes a week assessing your risk, that will help. If it was a financial task, everyone would have their head wrapped around it.”

Policy is as important as technology, and in fact should come first. “The first thing is to have a culture of awareness about clicking links,” Delahunty said.

After that, engagement with a partner can bring a range of technology options, but Delahunty noted that even the terminology around technology can be off-putting.

“Cybersecurity, even the word ‘cyber’, I much prefer information security because, at the end of the day, it’s the information, the data, that you are securing. Cyber might sound cool to techies, but it puts other people off,” he said.

Unfortunately, for some SMEs there is also a clear element of “close your eyes and hope it never happens”. Delahunty said that this could be traced to lack of understanding: people understand domestic security and act accordingly, but the same is not true about IT systems.

“I don’t have razor wire around the house or CCTV and guard dogs, but I lock the doors and I have an alarm. This is something that can take your business away from you overnight; you wake up one morning and your business is gone, there is no business,” he said.

Changes in how IT is consumed by businesses have brought benefits. Most notably, cloud has had the effect of making businesses less reliant on infrequently patched and potentially outdated on-premise hardware.

“As a general thing, the cloud is good, [whether] public or private,” said Delahunty.

It is not a magic bullet, however. “It takes the nuts and bolts out of it. The differentiation is people think ‘My stuff is up in AWS or Azure, so it’s secure’. That’s great, but it doesn’t work that way. They secure their network but it’s still up to you to secure your data. With private cloud, however, they will hold your hand,” he said.

Overall, the picture in Ireland was a mixed one, Delahunty said.

“I think it depends on what you look at it: in some ways, if you can say we are doing it well. A lot of individuals in information security in Ireland are doing excellent things. [National cyber security cluster] Cyber Ireland is really starting to push on and do good things, too. But are we getting enough investment?”

Other factors could also drive rapid leaps, and this is something for the political class to address.

“There could be legislation saying that you have to have a certain level of security for healthcare, for example. That would improve it overnight,” said Delahunty.