In my professional life, I have come to appreciate the fact that information is crucial to any organisation. It’s however surprising that most organisations assume their information systems are secure.
It pains me to see charge sheets of crime suspects “flying” on social media even before they are arraigned, or classified documents from the government and security agencies finding their way to WhatsApp groups or the gutter press. These examples show the lack of seriousness to information security.
How then should we approach information security with all these challenges brought about by the internet, bad press and social media? To begin with, organisations must assess their systems by answering the following questions: What constitutes sensitive information? Where is this information held (files, hard drives, cloud)? Who are their adversaries (staff, former employees, competitors, journalists, activists)? What are the threats to their information (hacking, social engineering)? Once an organisation has answered the questions comprehensively, then the following measures can mitigate threats to information.
Firstly, classify the information. This will bring to the attention of employees what constitutes and what doesn’t constitute sensitive information. It’s factual that no matter what technical controls we apply to information protection, it is humans (staff) that are invariably the weakest link and the most likely to be targeted by the competition. Secondly, a proactive legal approach is applied to protect intellectual property through patents, trademarks and copyrights.
Thirdly, many organisations have one corporate security and safety policy. It’s however advisable to have a separate policy for information security, owing to its sensitivity. This policy should be operationalised through standard operating procedures, instructions, rules/regulations to ensure total compliance.
In addition, any violations of the rules/regulations/instructions should attract severe punishment to deter a recurrence. As is the case the world over, information security related crimes like espionage carry severe punishment. Fourthly, initial, periodical but continuous vetting, training of staff and especially handlers of sensitive information (clerks, messengers and managers) should be carried out.
The fifth strategy is to employ operational security interventions. These are physical measures like door locks, cabinet locks, computer passwords, good housekeeping rules like avoiding loose talk (gossiping and romour mongering), good access control measures like enforcing “need-to-go” basis and sharing information on need-to-know basis. The sixth strategy is to employ interventions to guard your information systems by use of firewalls, antiviruses, integrating access control like user authentication, authorisation (accessibility) and auditing.
It is also imperative for an organisation to have technical surveillance to counter such things as listening devises in conference rooms and telephone transmissions. Lastly, organisations may consider other measures such as proper disposal of material, like shredding of used papers, guests visiting sensitive areas be required to sign non-disclosure registers upon entry, and so on.
The next question is: How should organisations respond to misinformation/bad publicity as propagated by fake news in the internet, press (especially gutter press) and social media? Firstly, organisations need to expand their traditional corporate affairs/public relations offices to accommodate these new threats to information security. A team should be constituted to continuously monitor social media, the internet and the press to provide early warnings on emerging issues and gauge public opinion about the organisation.
As and when it is really necessary to address the misinformation, the aforementioned offices should swiftly provide facts — online and offline. This helps build relationships and shows you are not just a faceless bureaucratic organisation but one that is transparent and accountable to the public.
Some organisations have fallen to the trap of employing off-book interventions to tackle bad publicity. The results are often disastrous. Information is of key value to adversaries, who wage a relentless, unseen and undetected, campaign to obtain your most sensitive data. Methods used include plain theft, solicitation, inadvertent disclosure and hostile interception. Information security, however, requires a multidimensional approach. The threat sources and methods used are also diverse.
Mr Cherutich, the principal deputy director — Security and Safety Services, University of Nairobi, is a retired military officer. [email protected]