Information security basics

What is information security?

Information security (or InfoSec for short) covers how an organization can protect sensitive information, including policies and procedures that prevent unauthorized parties from accessing company data.

Information security is a growing, constantly evolving field that covers a wide range of topics. Besides technical equipment, companies also need clear and scalable processes, qualified talent and trustworthy suppliers to keep data safe. 

Good to know:

• Information security describes the protection of corporate assets, which most commonly includes sensitive data.
  
  
• Information security is becoming more and more important as attackers have more tools at their disposal to steal or tamper with data.
  
  
• Information security plays a role across all industries. While some are more regulated than others (for example, healthcare and financial services), it is an essential component to any business plan.

Definitions: information security terms 

Information security describes the protection of digital assets: data that is of value to an organization's operations and vital to achieving business objectives.

There are several industry standards that guide companies on how to build an information security program, most of which focus on these three objectives:

• Confidentiality: Ensuring that information can only be accessed by authorized people. Measures that protect data's confidentiality include encryption, access control, and physical and environmental security.
  
  
• Integrity: Ensuring that information is protected against tampering and corruption. Unintentional changes are more likely to occur due to defective systems and processes than through human error. 
  
  
• Availability: Ensuring information is always available when needed. If data is lost, a further task is to restore it as soon as possible—for example, through backups. Measures that protect the availability of information include incident and business continuity management.

Information security vs cybersecurity vs IT security

Another set of important terms is "IT security", "cybersecurity", and how they differ from "information security." 

Information security focuses on the general practice of protecting information. 

IT security refers to protecting the IT infrastructure you use to collect, manage, or protect that data. It covers everything from computers, servers, wiring and the like, which must be protected from access by unauthorized third parties. 

Finally, cybersecurity is a branch of information and IT security. It pertains to protecting information in cyberspace, i.e., information security on the web.

Information security: laws and certifications

Information security is becoming more and and more important for business continuity. In recent years, numerous laws that directly deal with information security like the NIS2 Directive have been implemented or updated with stricter requirements. In part, this is because of the high pace of technological progress and digitization that pose new risks to today's businesses.

At the same time, security awareness is growing among consumers, B2B customers, investors, employees, and other stakeholders. Certifications such as ISO 27001 and TISAX® play an important role in earning their trust. 

What are the threats to information security?

When they hear ‘threats to information security’, most people immediately think of cyberattacks, organized crime, and espionage. And it’s true: criminal attacks – in particular on digital systems – pose a serious threat with far-reaching consequences.

But you shouldn't think only of bad actors. Even a company’s employees can represent a threat to information security, intentionally or by accident. Further threats include defective systems and processes and physical threats through natural disasters.

Key points:

• Information security can be compromised through natural forces, a company’s own employees, systems, processes, and cyber crime.
  
  
• When hackers strike, it’s usually to blackmail companies into paying a ransom or simply steal data necessary to launch further hacks. 
• Social engineering, insecure passwords, remote working, shadow IT, and insecure cloud solutions are examples of the most common vulnerabilities.
  
  

Physical threats

In March of 2021, a fire broke out in a five-story OVH data centre in Strasbourg. 12,000 servers went up in flames, more than 100,000 websites across the world crashed, and data lost in the blaze will never be recovered. The economic consequences were devastating.

Many of OVH’s customers had neglected to ensure their data was recoverable. In short, there were no copies, and the companies were at a loss.

This is why one task of information security is business continuity management. Companies must remain operational, even if data stored in a data center is lost—a risk that any good risk analysis should discover. When choosing a data center or a cloud solution that processes business-critical information, one crucial factor in terms of information security is a high uptime guarantee.

Threats from employees

Negligence, poor training, and lack of awareness among employees are among the most frequently mentioned factors that facilitate cyber crime. Companies must ensure that staff are aware of cyber risks. The UK cyber security breaches survey states that phishing attacks made up 80% of all cyber-attacks in 2023. Most cyber actors use social engineering techniques to gain access to the target organization’s networks. Therefore, training is crucial to preventing phishing attacks and avoiding vulnerabilities.

Cases of data theft by (former) employees rarely make it into the public awareness. Typically, a company is most vulnerable to employee data theft during the onboarding and offboarding processes. New employees with extensive access to sensitive company data (e.g., Heads of IT or higher management) should be subjected to background checks. Employees should always hand back any information assets in their possession when they leave a company. 

Often, however, not even intentional data theft makes employees a threat to information security. Instead, it is the ‘human factor’ itself that poses the greatest vulnerability, particularly in cases of insufficient training resulting in a lack of awareness and staff taking risky shortcuts to meet deadlines.

Threats due to systems and processes

Unless the systems for storing and processing data are fit for purpose, the objectives of information security will always remain out of reach. Take the objective of integrity, for example: to ensure the integrity of a company’s data, its IT systems must make it impossible for data to be manipulated without being noticed.

Suppose your company uses a tool that doesn't prevent changing the number of an outgoing invoice after it's already been submitted. In that case, this might result in incoming payments being allocated to the wrong account. 

Even self-programmed solutions can be prone to error when data is mistakenly overwritten, duplicated, or otherwise modified. When that happens, your data no longer meets the integrity requirement. So, your IT tools have to function effectively, alone and alongside other systems.

Threats due to cyber crime

The global average cost of a data breach in 2023 was 4.45 million dollars—a 15% increase over three years. One thing is certain: Cyber crime is on the rise and gets more expensive by the day. It primarily affects companies by stealing sensitive data, spying on digital communication, and digital sabotage.

30% of all businesses in the UK have identified data breaches or attacks in the last 12 months, according to The Cyber Security Breaches Survey.

Phishing attacks are considered the most disruptive type of attack, but impersonation also has a high potential for damage. Consequences include website disruption, temporary loss of access to files or networks, corrupted systems, and stolen data.

The easiest way and first step to protect against cyber crime is to train employees, carry out regular security updates and store data in a secure location. This is also an information security task: the acquisition, development and maintenance of secure systems.

What hackers want

Losing information such as customer or corporate data through ransomware attacks, for example, can weaken a company for hours, days, or even weeks, causing damage both to its competitiveness and its reputation.

Most cyberattacks aim to pressure victims into paying a ransom for stolen or encrypted data sets. Hackers who steal email login data can use it to launch additional phishing attacks and steal sensitive information from the victim’s colleagues and business partners. In another increasingly popular strategy known as ‘crypto-jacking’, the criminal hijacks an unwitting victim’s computing power, mining cryptocurrency for personal gain.

Typical gateways for hacker attacks

1. Social engineering—the human factor

Social engineering is a blanket term for several malicious activities that seek to exploit every system’s greatest vulnerability: the user. Hackers might build trust with a company’s employees or blackmail them to get their hands on sensitive information such as passwords and credit card information. Typically, communication is digital. Cybercriminals pose as IT support or even the CEO and demand that employees hand over important information right away.

2. Weak passwords

‘123456’, ‘password1’ and ‘abc123’—weak yet often-used passwords such as these leave the door open to password spraying attacks, where hackers use software to try to guess a user’s password by entering commonly used character combinations. Passwords connected to the user’s personal life (e.g., the name of a partner, pet, or favourite vacation destination) make it even easier for hackers with intimate knowledge of their victim to guess their password.

3. Shadow IT

Shadow IT refers to hardware and software employees use without the IT department's knowledge. Typical examples include browser plug-ins and messaging clients. Since they’re not part of the company’s official IT system, solutions like this are unprotected. As a consequence, insecure solutions are widely used and are a potential attack vector for malware or crypto jacking.

4. Lack of due diligence in introducing cloud services

A report by Statista shows that a staggering 15 million data records were compromised worldwide during the third quarter of 2022, marking a significant 37% increase from the previous quarter.

As attacks of this kind have been on the rise for years, it might seem a reasonable assumption that cloud services put companies at increased risk. But that’s not exactly right. The rising number of attacks simply expresses the increasing popularity and use of cloud services. Indeed, cloud services are often more secure than internally hosted IT, as they are subject to regular security updates.

But not all cloud environments are created equal. Some providers and solutions are fraught with breaches with respect to information security and data privacy. There is no way around it—before you start working with a new cloud service provider, due diligence is essential: is the provider’s information security management system certified? How has the service provider held up under penetration testing? What contractual guarantees does the service provider offer? Ensure that your SLA (Service Level Agreements) reflects the service your organisation requires.

All of these measures and many more examples can be combined to keep your organization safe from attacks. In fact, bringing them all together often is the foundation for an Information Security Management System (ISMS).

What is an ISMS?

An Information Security Management System (ISMS) is a framework of policies and procedures used to manage an organization’s sensitive data and information security systematically. It encompasses processes, people, technology, and procedures that are designed to protect against unauthorized access, unauthorized use, disclosure, disruption, modification, or destruction of information. 

The primary objective of an ISMS is to effectively address and manage risks while also enhancing awareness of information security within the organization. It provides a structured approach to the management and protection of information assets, defines how processes and activities related to information security are to be managed, and outlines the roles and responsibilities of the personnel involved in managing information security.

Once you have built your ISMS, it is best practice to pursue a certification for an international standard like ISO 27001.

How is an information security management system (ISMS) set up?

Putting an ISMS in place can only be successful when management truly backs the undertaking and provides the necessary resources. A company’s Information Security Officer (ISO) needs the trust of management, who in turn must give the ISO the ability to act. Otherwise, the ISO can’t bring together the people, tools, and processes necessary to ensure a strong information security posture.

Key points:

• An ISMS makes it easier for companies to calculate and control information security risks.
  
  
• In industries with intricate, highly regulated supply chains, such as automotive or healthcare, implementing an Information Security Management System (ISMS) is a crucial prerequisite for competing in the market.
  
  
• Management is always responsible for introducing and running an ISMS (top-down approach).
  
  
• The specific implementation and scope of an organization's Information Security Management System (ISMS) is determined by its unique risk appetite and circumstances.

The goal of an ISMS

As the name suggests, information security systems are process-oriented and always a management-level responsibility. Management can delegate tasks related to ISMS implementation, but not the responsibility of establishing a strong security posture in and of itself.

After implementing an ISMS, management must continuously monitor, evaluate, and adjust its scope and individual measures to ensure ongoing effectiveness.

A company must also have an overview of the information in its possession and the risks it is exposed to—as well as what it would cost if the risks materialized. Based on this knowledge, management can decide how much said risks should be reduced through measures that fit the company's circumstances, rather than pursue every single technical measure out there.

What are the benefits of an ISMS?

Implementing an Information Security Management System (ISMS) offers multiple benefits, including the opportunity to differentiate your organization from competitors by upholding stringent information security standards, even in an unregulated market. This can attract and retain discerning customers who value robust cybersecurity practices.

What's more, businesses without an ISMS lack a comprehensive understanding of their own processes and information assets, hindering their capacity to effectively manage and safeguard sensitive data.

In the pursuit of investor funding, an ISMS also offers a robust framework for due diligence, showcasing the organization's dedication to data security and risk mitigation. Take the automotive industry: for a company to enter this highly regulated market and act as a supplier, it must meet the industry requirements and have an ISMS in place.

How do I implement an ISMS in a company?

The requirements for establishing, implementing, maintaining, and continuously improving an ISMS are specified in the international standard ISO 27001. In terms of structure and operations, an ISMS basically follows a traditional PDCA cycle, where PDCA stands for plan, do, check, act.

A good place to start is creating an ISMS guideline, through questions like these: Why do we, as a company, want to set up an ISMS? What are our goals? How will we organize our ISMS? Who will play the part of Information Security Officer (ISO), what resources will they have at their disposal, and what measures will they put in place?

1. Identify and classify assets. What assets/information do we want to protect? How sensitive are these assets/information?
   
   
2. Establish ISMS organization and risk management structures. What tools do we want to use? What financial and staffing resources will the ISO have at their disposal? What structures should the ISO establish?
   
   
3. Develop control mechanisms. How can we check whether our ISMS is effective and protects our corporate assets in the way we want it to?
   
   
4. Operate the ISMS. What processes do we put into action in day-to-day business? How will we integrate and document them?
   
   
5. Check results and KPIs. Questions like this must be routinely addressed: what results does our ISMS achieve? What key performance indicators (KPIs) can we track over time?
   
   
6. Make corrections and take precautions. Where do we need to make changes to get better results? What can we do to prevent risks?
   
   
7. Review by management. Are our ISMS’s goals and general orientation still a fit for us? Does management need to course-correct? 

Management should review the ISMS with questions like these at least once a year or when there is a significant organisational change.

ISMS certification

Companies with a certified management system for information security benefit in several ways, not the least of which is the systematic identification and minimization of risks to your IT systems, your business activities and processes and finally, your employees’ conduct at work.

In other words, companies with a certified ISMS can manage their information security risks to a high degree of excellence, and prove it to a third party. This will increase the confidence that customers and potential partners have in your company’s ability to deliver high-quality services.

One thing is certain: any investment and effort you put into certification is sure to pay off—especially if you’re facing a due diligence check. After all, the process will be significantly swifter and easier if your company already has ISO 27001 certification. As a bonus, ISO 27001 certification often greatly increases company value.

Industry-specific certification schemes for information security management systems

Industry-specific certification schemes for information security management systems
ISO 27001 is the gold standard for information security management systems. However, the individual industry, market and national legislation may make other standards relevant.

Take Germany, for instance, where the Federal Office for Information Security (BSI) has developed the standards BSI 200-1 and BSI 200-2. As a 12-step system for implementing a compliant ISMS, these standards are especially helpful to local authorities and small and medium-sized enterprises.

When working with U.S. federal information systems, NIST (National Institute of Standards and Technology) Special Publication 800-53 is the relevant standard—or, with respect to financial reporting, the international Service Organization Control standards SOC 1 and SOC 2.

Accredited ISO 27001 certification

There are several national and international accreditation bodies around the world. EU law stipulates that each member state has one national accreditation body—such as the Deutsche Akkreditierungsstelle (DAkkS) in Germany or the Hellenic Accreditation System (ESYD) in Greece.

In the USA, on the other hand, there are multiple accreditation bodies that serve different standards, among them the ANSI National Accreditation Board (ANAB) for ISO 27001 accreditation.

The UK follows the EU model, with one solely appointed national accreditation body, the United Kingdom Accreditation Service (UKAS). Currently, UKAS has accredited more than 150 certification bodies in the UK alone, 24 of which specifically offer accredited ISO 27001 certification.

While UKAS also offers ISO 27001 accreditation to foreign certification bodies, certifiers around the world typically pursue recognition by an international accreditation body such as the International Accreditation Board (IAB). Certification bodies accredited by IAB perform audits according to ISO 17021, an international standard for auditing management systems.

Certifications not confirmed by the international accreditation body are often not recognized by business partners. 

ISO 27001 certification: the costs

For companies seeking ISO 27001 certification, implementing the necessary security measures generally incurs the greatest cost. Investing strongly in your security posture from the get-go yields the best results. That's because repeat audits can start to pile up: if you fail, you’ll have to arrange a new one—the process starts over, and the costs increase.

A medium-sized company with 100 employees and relatively low process complexity per 15 to 20 employees can roughly expect an audit to wrap up in several days. For larger companies, audits will be more time-intensive.

The actual duration will naturally depend on how complex your information security processes are as well as on the scope you’ve defined for your ISMS. Smaller companies with only one location can expect certification to be upwards of € 10,000 (£7500). Certification bodies will provide an exact figure upon request.

Recertification: How long is ISO 27001 certification valid?

Putting information security measures in place is not a one-off project but a continuous process. For this reason, your company’s ISMS will need to be recertified on a regular basis.

To stay compliant with ISO 27001, your certification will need to be renewed once every three years through an entirely new audit process. If serious deficiencies are uncovered, certification can be revoked even before the three-year cycle is up. What’s more, ISO 27001 also requires companies to perform annual internal audits independently.

What are the requirements for jobs in information security?

In 2022, there was a global shortage of some 3 million cybersecurity professionals. And it’s no surprise, as the information security job profile brings together a unique skill set—a plurality of competencies that are rare in today’s jobs market. In addition to a high degree of IT literacy, applicants also need to demonstrate in-depth knowledge of the standards and laws relevant to the field.

Moreover, the job is also one that frequently demands an aptitude for communication and negotiation. After all, information security processes can only work when all the involved company divisions cooperate. Getting them to do so is just one more task where the cybersecurity professional must shine.

Information security experts are in high demand in the job market. Previous work experience and knowledge of ISO 27001 and information security management systems are essential for qualification.

Employees should have experience in the following areas:

• Implementation of IT security, including an understanding of critical infrastructures 
  
  
• Setting up an ISMS
  
  
• Certifying an ISMS in accordance with ISO 27001 / TISAX®
  
  
• Managing information security incidents
  
  
• Staff training and awareness-raising activities
  
  
• Negotiations and project management

(Chief) Information Security Officer: an overview

The CISO, Chief Information Security Officer or Information Security Officer (ISO), is a manager who is responsible for information security in an organization. They are responsible for the security of information, data, and systems.

A CISO focuses their attention and efforts on securing the company's interests. The job is something of a balancing act between protecting information assets and ensuring seamless business operations. Normally, the position is directly subordinate to top-level management and works closely with the IT department as well as the compliance and legal teams.

The responsibilities of the CISO include:

• Protecting corporate assets from attacks and data breaches (in cooperation with the Data Protection Officer and IT)
  
  
• ISO 27001/27002 and TISAX® certification
  
  
• Introduction of an information security management system
  
  
• Choosing suitable methods and tools
  
  
• Risk management and advising company leadership
  
  
• Communication between departments

Depending on the company, the position of CISO can be filled by an internal employee or an external service provider.

Is outsourcing information security worth it?

Not every company has the resources or the will to implement and manage information security. In some cases, the internal team might need more support from the heavy documentation load. Perhaps the team doesn’t have the right expertise for a certain project or struggles with a due diligence audit.

When faced with challenges like these, it’s best to turn to an external service provider for guidance. The advantage is external services are quick to purchase, and the service provider’s experience can guide you through unknown territory.

A good provider will assign you a personal contact, your go-to for all the challenges your company faces, with the know-how from past experiences to overcome them.