INFORMATION SECURITY

We live in a constantly evolving digital society. This means that most organisations today rely on information technology to maintain the organisation's operations. In many organisations, information is stored online, and the vast majority use the Internet in their work. The Covid crisis and ensuing remote work practices, has confirmed the necessity of working online. Because we rely on technology, it is vital that our behaviour around its use is secure and well-balanced.

Information security is about protecting information that may be important for the organisation. Among other things, we do this through secure behaviour both online and offline, in processing data and critical information, technical measures and contractual relationships with suppliers. Therefore, it is a general term for the measures taken by the organisation to secure information in everyday life and when an incident occurs.

Sharing information about an organisation's locations, employees, projects, etc. increases vulnerability, which affects the general risk of potential incidents. If attackers want to damage the organisation in some way, their success rate  of an attack will increase by gathering information about, e.g. peak periods at a site, the whereabouts of key people, the organisation's main customers and the like.

It is therefore important that the organisation has clear information security policies on sharing and processing of information so that everyone in the organisation knows how to deal with information security issues.

It may seem obvious that taking care of critical information is important, but the challenge is linked to the high level of unawareness that comes with working digitally. Studies show that around 19 out of 20 mouse clicks are unconscious – that is, we are not aware of what we click on – and that up to 50 percent of all successful cyber-attacks today are based on inattentive behaviour around IT use.

Therefore, organisations must do what they can to raise awareness of the use of IT in their daily work. Employees need to take responsibility, have a healthy scepticism and know what to do if things are not quite right. In other words, it's about making individuals aware of their role in the big picture. At the same time, security managers must be aware that mistakes and risky behaviour in relation to IT often is taboo. Therefore, a lot of work can be involved in breaking the taboo without creating a zero defect culture.

It can be a considerable task to embark on when it comes to planning the implementation of information security in an organisation. For many security professionals, dealing with IT security is unfamiliar territory and can seem almost overwhelming. Fortunately, there are international and national standards, guides and guidelines to help implement information security, and they are very similar to what some will know from other standards for business continuity work. You can find help via e.g. the Danish governmental website on cybersecurity, SikkerDigital.dk and in the ISO 27000 series, which are designed to systematise and provide a framework for the establishment, implementation, maintenance and continuous improvement of information security in organisations.