9 Keys to Surviving the Information Security Battle

For the first moment of competition, we have had a need to know at least as much about our competitors as ourselves. Information has always had value. Information has helped smaller, weaker competitors prevail, as in the tale of David and Goliath. Shortly after recognizing the value of information, the need to keep one’s own knowledge and information private – secure and safe from unfriendly eyes – became an equal priority. Through all kinds of conquest, from military to sports to business, more and better information – the quicker, the better – is the difference between winning and losing battles, games, and fortunes.

As information evolved from pictures and symbols to words and numbers, from oral to written, and its transmission from courier to mail to electronic means, the need for accuracy, timeliness, safety, and security has always been there. With the increasing complexity of information transmission, however, it has become increasingly more difficult to ensure data accuracy, timeliness, safety, and security. Look at the proliferation and near-ubiquity of inexpensive, portable devices and the perceived need to remain “always connected”. Sometimes, we seem eager to reap the rewards without being cognizant of the risks.

Why information security? Trust is easily and frequently abused.

Why information security? Because trust is easily and frequently abused.

Information security is an inconvenience to many of us, even when the organization makes it the top priority. Security takes time, adds complexity – in short, it’s a chore. Until something fatal happens to our data or those of our clients, we don’t concern ourselves with conventional wisdom or common sense, let alone follow best security practices.

What are best practices? Well, I did a tiny bit of researching one afternoon and from a half-dozen or so sources, this is what I came up with. Note that this is not an exhaustive list of security best practices but a list of common recommendations:

  1. Implement stronger password protection. This is defined in several ways but most sources concur that short, simple passwords invite trouble, as does using the same password for every app and website.
  2. Use multi-factor authentication. This is becoming more common but far too many websites (social media sites, for instance) haven’t caught up.
  3. Protect your valuable data with a multifaceted approach (anti-malware software, firewall, policy, behavior, etc.).
  4. Keep your applications, operating systems, protective software, firewalls, etc., up to date.
  5. Be careful where you store sensitive information, from financial data to customer data to passwords.
  6. Avoid, or at least be wary of, unsolicited emails or social media messages.
  7. Have and promote a healthy suspicion of new or unfamiliar websites. Don’t get lulled into a false sense of security even with the sites you know and use commonly.
  8. Implement an information disaster response and recovery plan (e.g., backing up data) and conduct response-and-recovery drills periodically.

To these eight keys to surviving cyber threats, add one that’s hardly mentioned in the literature, if at all. Have a third-party auditor regularly[1] perform a careful, thorough, and detailed information security audit of your organization. IT audits not only help you evaluate your organization’s performance with respect to security objectives – they help you identify and act on opportunities for improvement.

Even if you aren’t concerned about complying with standards or regulations, you should know that IT auditing is a sound business practice and a valuable part of any multifaceted approach to IT security. It pays to anticipate trouble, be vigilant, and stay protected.


[1] Depending on the number and degree of risks you face, as well as the size and complexity of your IT operations, you probably ought to have an IT audit conducted yearly, at a minimum. Consider auditing any time you reasonably suspect a problem.


We help small businesses improve their efficiency and effectiveness. Whether you're selling a product or a service, we'll show you how you can improve product and service quality, effectively and affordably. If you need quality, environmental, or health & safety management but can't afford a full-time manager or staff, call on Q9C and we'll pick up the slack. For information or a quote, call or write. Subscribe to the Q9C blog while you're at it.

Tagged with: , , , , , , ,
Posted in Information security, ISO 27001, Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: