Digitalisation is advancing rapidly
Digital development has different names in different industries, but everything is based on the principle of making better use of information technology in several commercialisation steps and operational activities. One of the consequences of digitalisation is the new and changing needs of security for information and technology. New challenges also arise when different systems communicate with each other.
With technology development encompassing Big Data, Internet of Things and API solutions, it’s easy to create innovative solutions without technical barriers. Everything is connected and all information can be stored and processed to create added value.
Increased freedom brings digital responsibility
Digitalisation provides decision makers and management greater freedom when organisations become creative. They open up for financial transformation and being disruptive to the required and decided level.
But this freedom brings responsibility. The responsibility of ensuring that the information flow – a prerequisite for digitalisation – is managed without creating the risk of various internal and external cyberattacks.
Work with assurance
What does high assurance mean? If you look at dictionary.com, you will see that assurance can mean a declaration intended to give confidence. Advenica uses the following definition:
Assurance in security means the degree of confidence that a product or system correctly performs its required security functions and that they cannot be circumvented
Assurance is not an absolute feature either, but it shifts the discussion to something that you can actively act on, i.e. what activities and methods have been used to increase the likelihood that the security product will behave securely? These can be methods for defining security requirements, choice of architecture, design choice and quality assurance methods.
In recent times, it has also proved important to look beyond the design and consider the risks in the manufacturing of the security product. In addition to activities under development and manufacturing, the assurance needs to be maintained after a security product has been distributed. As a respected security company, it is natural that you continuously monitor the outside world and inform your customers if the security, or the assurance, is affected in the delivered solutions if weaknesses are found or when trust in some technology is changed.
The digitalisation strategy – part of Sweden’s path towards secure digitalisation
The Government of Sweden pursues a digitalisation policy where the vision is a sustainable, digitalised Sweden. The digitalisation strategy sets the direction for this policy, and the overall goal is for Sweden to be the best in the world at using the possibilities of digitalisation. To achieve the overall goal, the strategy contains five sub-goals on digital competence, digital security, digital innovation, digital management and digital infrastructure. Digital security is about companies and organisations needing to increase their competence in information and cybersecurity and that it needs to be seen as a strategic business issue.
“Lack of information security skills is a factor that many organisations struggle with. The information security work must be made more visible, given higher strategic importance and woven into companies’ existing management and financial management systems”
Quote from the Digitalisation Council
High demands on security are one of the sub-areas in the digitalisation strategy. This includes e.g. the new Protective Security Act, the introduction of the NIS Directive and the construction of the National Cyber Security Center. Read more here!
Read more about the Protective Security Act and about the NIS Directive!
How to get started with information security
New laws have been passed to increase preparedness. These require that organisations delivering services essential to society increase their information security. However, it is not always easy to know where to begin. Here are eight pieces of advice to get you on the right track.
Realise that information security means more than technology
Today, a great deal of information is managed in IT systems, often making information security equivalent to IT security. But, people and processes have to be included, and all parts are equally important to succeed. Systematic and continuous work based on assets, threats and risks is vital for creating sustainable protection.
Information security work must be linked to your organisation´s risk management
All security work has to be based on how risks are managed in the environment where you operate. Information security-related risks have to be treated the same way as other risks.
Ensure that management takes its responsibility
The responsibility for security work always lies with management, as only management can decide not to do something about security risks. Given how the rate of cyberattacks are accelerating, a decision not to invest in information security means that both the organisation and its management take a huge financial risk.
Review procedures and processes
Information security encompasses the entire organisation´s operations and all information, regardless if it is in computers or on a piece of paper. Start mapping out routines and processes, who has access to information and systems, and the state of your security thinking.
Ensure the right resources
Information security work must be conducted systematically and continuously to ensure an adequate level of information security in an organisation. For successful information security work, you have to have management´s commitment and the right resources.
Start with an analysis
Systematic information security work should always be adapted to the specific circumstances of an organisation. A recommendation is to start with an analysis of both the outside world and your operations. Based on the results, it is also possible to decide which security measures that have to be implemented.
Develop a security policy (this helps you to maintain information security)
Regulatory documents such as a security policy are the formal framework for your information security work. In these, you have to specify what should be available, what should be done, as well as how it should be done.
Get help from those with in-depth information security knowledge
Getting started with systematic information security work on your own can feel a little overwhelming. If possible, get help from those with extensive knowledge about information security.
Read more about information security!
Secure management’s commitment
With more and more devices connected to the Internet, the possible attack surfaces into your own IT infrastructure are increasing and all companies and authorities need to ensure that they are doing what they can to avoid an attack. A structured approach to information security is therefore something that must be in place. But how do you go about securing management’s commitment so that information security is prioritised? Here are a few things you should bring to a presentation for the management.
Present a risk analysis
In order to make the right priorities in security work, a risk analysis is needed – a security protection analysis. It defines the most valuable assets of the business, the consequences that can arise if these assets are attacked, what the actual threat is and what vulnerabilities that exist. Based on this, appropriate security actions can be proposed.
Explain the consequences
Obviously, you must inform about the consequences that can happen if you do not work with information security. There are several known cases of ransomeware attacks, such as the Maersk case and Baltimore in the United States that may be mentioned. But it is even better to give examples based on your analysis. If, for example, you found out that you have shortcomings in the software updates, it is more communicative and convincing to say that “a hacker can copy the entire payroll and post it on the internet” than talking about having to do a number of security updates.
Explain the benefits of the investment
One possible argument is, “But doesn’t it cost a lot to introduce a structured approach to information security?” This is something you can quickly respond to by explaining that the opportunity cost, caused by an attack, usually is so much higher than the investment needed. With a constantly increasing number of attacks, the risk of being hit is relatively high. Therefore, NOT investing in information security really means that, as a company, and management, you take an extremely large financial risk. Does management really want to take that risk?
Highlight the advantages
It is better if management associates information security with something positive and understands that it is not so complicated. Therefore, it is important that you end your argumentation by explaining that a systematic information security work means that you can avoid negative publicity, information leakage, possible downtime – simply avoid several risks of losing business. Another positive effect of structured information security work is that the employees get access to the right information at the right time, which often means that efficiency can be increased. By emphasizing these and other benefits of structured information security work, it becomes easier to secure management’s commitment.
Security culture – an important part of cybersecurity
Cybersecurity today is not only a technical challenge but also a human challenge – a matter of security culture. Criminals do not only exploit technical deficiencies but often rely on people to access sensitive data. It is therefore the human factor that causes the most serious security breaches. Building and maintaining a strong security culture is thus an extremely important part of cybersecurity work.
When a functioning security culture is applied, everyone is aware of the risks and has both the knowledge and the will to contribute to reducing the risks through their actions. Security thinking is an obvious part of the business. In other words, the security culture has a great influence on how to work, prioritise and in different ways create the conditions for employees to work securely. Another thing that characterises a functioning security culture in a workplace is that management prioritises and handles security issues at all levels of the business and that they are part of the culture.
Read more about security culture in our blog post!
Achieve secure digitisation using allowlisting
Taking a digital responsibility is about simultaneously digitising and building robustness in our society. By controlling their information flows, secure digitisation can be achieved. It is about being able to digitally distinguish between authorized and unauthorized persons. By identifying the user and then linking the user with some form of right or possibility, one achieves an effective security.
The mindset to distinguish between authorized and unauthorized is called allowlisting and blocklisting. Blocklisting means having a list or specification of the unauthorized persons. It can be a list of names of people who are not allowed to fly, a ban on bringing weapons through a security check or a list of known computer viruses that the antivirus program should look for. Allowlisting on the other hand means that the right key is required to be able to open a door or that the correct password or pin code is required to unlock the computer.
Through allowlisting of information flows, one can raise the protection of critical infrastructure without sacrificing the possibilities of digitisation.
Read more about how allowlisting works in our White Paper Secure digitalisation using allowlisting.
Read more about how we can help you with your cybersecurity challenges!