IT security alone is not enough

More is required than just IT enterprise security

In recent years, the impact of cyber-attacks on companies and countries has become increasingly broader in scope. It is therefore hardly surprising that the demands on IT security and associated investments are increasing accordingly. However, IT security cannot provide comprehensive protection. Instead, it is advisable to strive for comprehensive information security. In addition to the protection of IT systems (IT security), information security includes the protection of all of a company’s information ─ regardless of where this information is processed. Information in this context can include, for example, printed documents, as well as employee knowledge.

The core values of information security are: Availability ─ the organization’s information should be available during the designated time period; confidentiality ─ no unauthorized persons should gain access to information; and integrity ─ information should not be open to manipulation. With the help of an information security management system (ISMS), these basic values are to be adhered to. But small- and medium-sized companies in particular shy away from setting up an ISMS because of the organizational and financial effort involved.

Building and maintaining an ISMS can, indeed, be organizationally challenging. Especially if, for example, an ISMS is to be set up in accordance with the BSI basic protection standard. The more than 1000 proposed measures here can serve as a deterrent. It is often enough to start small: By introducing basic protection, the BSI wants to make it easier for SMEs, in particular, to access an ISMS. There are other options: The specifications for an ISMS according to ISO 27001 are, by comparison, more conceptually structured, and they give the organization more leeway to develop a tailored ISMS.

The financial aspect is a popular argument made against the establishment of an ISMS. It is often argued that people prefer to focus on topics that directly increase sales and, moreover, that they have already invested heavily in firewalls and other tools for securing IT systems. Such arguments are countered by the fact that some 15 percent of all security incidents are caused by phishing alone (Verizon Data Breach Investigations Report 2020). So employees play a significant role in protecting information.

Furthermore, every business owner should keep in mind that there are high costs in the event of an information security breach: IT systems and their data could be destroyed, and recovery is costly. The publication of internal information can cause competitive disadvantages. If personal data is involved, there is also the threat of severe penalties from data-protection authorities.

In summary, it can be said that in addition to IT security, the security of other information must also be kept in mind, because high-security IT is senseless if employees bring confidential information outside of a respective organization (e.g., a telephone call in public). Establishing an ISMS can help. To keep things easy, it is recommended to start small. In the long run, protecting information will most likely pay off financially.

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.