The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

I am amazed at the number of organizations that continue to take either a lax, or too narrow approach in protecting information assets. I am certain that those of our legislators who understand the threats against our corporate assets and the individual’s identity would agree. Just look at some of the regulations that currently exist, Sarbanes Oxley, PCI DSS, Red Flags Rule, HIPAA, GLBA and you will begin to get where I’m going. Throw in the regulatory bodies FTC, SEC, FFIEC, and so on.

There are armies of resources now and a growing attitude for more legislation and governing bodies. This is purely reactionary and misguided when it comes to securing information assets. What is really missing in the equation is focus by the companies themselves who hold the intellectual property, sensitive consumer information, or infrastructures of national concern.

In general executive leadership does not understand the real and growing threats that their businesses face. There are literally thousands of attempts at their organization’s assets on a daily basis from, internal hackers, and externally sophisticated organized crime and espionage groups. Still none of this is on the average executives’ radar screen. Too often the media when they do speak on the topic doesn’t get it right as they are going for the sensational as opposed to the facts. We need to focus on the facts, as this is not a Sci-Fi drama, its real world.

Perhaps the government has gotten the attention of corporations in only the way it believes it can through regulation. However regulators don’t always do their job so various frauds and information thefts of identity, healthcare, credit, and other crimes continue to grow. In large part the regulation has pressed companies to focus on passing audits and not securing information assets. The two require markedly different approaches and levels of commitment. A complaint organization is not necessarily a secure one.

So when do most corporate leadership, principals, partners and other executives focus on information security? The all to often answer is, after the compromise. The approach then is ad hoc, reactionary, and an ill focused response to an information compromise. The loss occurred, the organization not prepared, preventative measures failed, the compromise not detected for an extended period of time, and now chances are there is little opportunity to fully recover at any cost. Information security breaches can cost an organization millions and high-profile public cases can run into the hundreds of millions of dollars.

Information Defense is often called in on incident response and forensic investigations. Many times long after the breach has occurred. We have seen “compliant” organizations suffer significant information losses. Again I want to stress that securing information assets and being complaint are not one and the same. Piecing together the facts in an investigation where a theft has occurred is difficult, costly and a lengthy process. Results are highly dependant on evidence that may no longer exist and are out of the control of the incident response and forensics team. While comprehensive information security programs, across people, process, and technology often form the basis for solid compliance solutions the converse is not true.

While security awareness can often arise from comprehensive steps taken to become compliant, without understanding at the most senior levels, and a corporate mandate accompanied by the resources to drive the necessary steps for information security the organization will be largely unsuccessful.

Engaging expert external resources such as Information Defense can bring the critical comprehensive experience and balance to the organization. Experts can help to balance compliance and security initiatives while help define and drive priorities and timelines to manage what can be enormous investments. Often outside resources can assist in engaging the executive team for sponsorship and drive the importance of following strong risk management practices and principles to support today’s information rich, connected, online present organizations.