Skip to main content

Intelligence assured

Subscribe to future blog posts featured in our newsletter

Read more about how we handle personal data

Digitalisation is making information security an area that is becoming increasingly important. With more and more devices connected to the Internet, the possible attack surfaces into your own IT infrastructure are increasing and all companies and authorities need to ensure that they are doing what they can to avoid an attack. A structured approach to information security is therefore something that must be in place. But how do you go about securing management's commitment so that information security is prioritized? Here are a few things you should bring to a presentation for the management.

Analyze the risks

In order to make the right priorities in security work, a risk analysis is needed - a security protection analysis. It defines the most valuable assets of the business, the consequences that can arise if these assets are attacked, what the actual threat is and what vulnerabilities that exist. Based on this, appropriate security actions can be proposed.
By asking yourself a few questions, you can obtain a basis for a security protection analysis that allows you to be very concrete when presenting to the management.

Säkerhetsskyddsanalys

Explain the consequences

Obviously, you must inform about the consequences that can happen if you do not work with information security. There are several known cases of ransomeware attacks, such as the Maersk case and Baltimore in the United States that may be mentioned. But it is even better to give examples based on your analysis. If, for example, you found out that you have shortcomings in the software updates, it is more communicative and convincing to say that "a hacker can copy the entire payroll and post it on the internet" than talking about having to do a number of security updates.

opportunity cost

The investment is less than the opportunity cost

One possible argument is, "But doesn't it cost a lot to introduce a structured approach to information security?" This is something you can quickly respond to by explaining that the opportunity cost, caused by an attack, usually is so much higher than the investment needed. With a constantly increasing number of attacks, the risk of being hit is relatively high. Therefore, NOT investing in information security really means that, as a company, and management, you take an extremely large financial risk. Does management really want to take that risk?

commitment

Highlight the benefits - and secure the management's commitment to information security

It is better if management associates information security with something positive and understands that it is not so complicated. Therefore, it is important that you end your argumentation by explaining that a systematic information security work means that you can avoid negative publicity, information leakage, possible downtime - simply avoid several risks of losing business. Another positive effect of structured information security work is that the employees get access to the right information at the right time, which often means that efficiency can be increased. By emphasizing these and other benefits of structured information security work, it becomes easier to secure management's commitment.

If you need help conducting a security protection analysis, you can download Advenica's guide to this (in Swedish).

If you need more help, you are welcome to contact us at Advenica.

Today, there are many suppliers of different information security solutions. But do you know how future-proof the solution you choose to invest in actually is? Who is responsible if your solution is hacked in a few years?

Weaknesses are exploited by hackers

Recently, Cisco, a major provider of various IT solutions, agreed to pay a large sum in fines for having sold a video surveillance software that they knew contained a critical vulnerability. According to the indictment, Cisco continued to sell the software for four years, without addressing a major security vulnerability that a whistleblower warned them about as early as 2008.

Hospitals, airports, schools, and state governments were among the customers and Cisco is now forced to pay $ 8.6 million.

The weakness meant that hackers not only could spy on the video recordings, but they could also turn on or off surveillance cameras, remove recordings and even break into other connected physical security systems such as alarms or locks. All without being discovered. According to the indictment, the weakness was also easy to find and exploit.

pay fines

Digital responsibility

The lawsuit against Cisco is the first in the United States where a company has been forced to pay for having marketed and sold products without adequate cybersecurity protection. The question this arises is: Who has the digital responsibility?

In order to take your digital responsibility, you need to work with information management and digital security in a proactive and sustainable way. This applies today to all companies and especially organisations that handle sensitive and or secret information. But of course, this also applies to businesses that sell different solutions to manage information security and for them it is also important to work with a longer commitment, future-proof solutions.

future-proof

Future-proof security solutions

To ensure that the solutions you offer your customers are future-proof, you must watch out for published vulnerabilities that might affect the security of the solution. If something is discovered, the incident must be handled and measures that reduce or remove the risk should be developed. Therefore, to ensure that your information security solution is future-proof, it is important that you ensure that your supplier has a working method that means that they will continue to be digitally responsible. Do they provide security updates throughout the product life cycle? Is their product/solution future proof? These are important questions you need to ask your supplier.

Advenica offers cyber security solutions that meet the highest security requirements and our product development therefore differs from traditional development work in different ways. With us, future-proof is an important part of what we call "Product development with high assurance" and is something that is self-evident to us.

Feel free to contact us to hear more about how we can make your information security future proof.

If you want to read more about how our product development helps us take our digital responsibility, you can download our White Paper # 08 "High assurance product development".

You can also read more about how we look at digital responsibility here and in our White Paper # 05 "Digital responsibility - the only viable way forward".