Oft times when information security professionals talk about information security, you will no doubt hear a three letter acronym that may confuse some: C.I.A - and no, it's not the Central Intelligence Agency.
When talking of the C.I.A. we refer to the three-pronged structure upon which information security stands, namely:
That is essentially what information security refers to;
The confidentiality, intergrity and availability of information, whether it be in bytes or paper.
I can almost hear someone moan: "Aaawwwhhh rats! I thought information security was about hacking!”, well...
As previously mentioned in other posts, I believe that information security should be everyones business- in every company (yes, start-ups included). It is not just the IT department who should be concerned with this.
It takes a collective effort to get information security right and, in terms of companies (especially online start-ups), it should be your duty to provide some sort of security training or awareness for both your clients and employees. The benefits of this will speak for themselves.
Let's take an example to show that everyone has a part to play in information security:
When you have documents in the office (on paper or digital) about anything company-related, whoever has those documents (digital or paper) must always ensure that the right people can have access to them (Availability) and equally important, that the wrong people don't have access to those documents (Confidentiality).
Whoever else is handling those documents, should then ensure that the information on there is correct (Intergrity).
What do you notice there? Simply using C.I.A. process to focus on document handling! That's not even tech related!
In the case of software developers and the IT department:
When your oh-so-hot web app gets DDoS'ed, it will limit your users from accessing it (Availability) and should you suffer a security breach, some private information such as usernames,passwords and credit card numbers of your users may be exposed (Confidentiality).
Furthermore, if you do not use HTTPS (or even better – HSTS), malicious attackers can use attacks such as MITM (Man-In-The-Middle) against your users (Intergrity) i.e. they can pretend to be you to your users (
All this is mentioned to show how important it is for people to realise that in everyday organisation, they are doing some or all aspects of imformation security, in some cases they may be doing it incorrectly, but when they are made aware of this, they may do it correctly.
Remember, when the POPI Act is implemented in South Africa, everyone in the organisation should already be aware of these things, as almost everyone in most organisations handles some sort of data (organisational or personal data) and the handling (storing, accessing, sharing) of that information will be closely scrutinised by this Act, among other things.
Information security done right spells only good news for your company or organisation; but if done wrong, the results could be disasterous.
Information security is everyone's business - some just didn't know it or have been doing information security wrong all along.
Those in the know should take it upon themselves to educate others and those organisations that already have some sort of ongoing security awareness program in place should help and influence others to do likewise.
A collective effort is needed in making the internet a safer place. Yes, tech is on the rise in Africa but the 'tech on the rise' shouldn't outpace the security awareness and training of it on this continent.
For example, it's (or should be) a small thing for companies offering online services to have a tab somewhere on their site where users can go to learn a few things about online safety as pertaining to their service.
Some day I hope to see security awareness and training being a continent wide, goverment-backed initiative.
Until then, keep safe!
Cover Image Credit: Electronic Frontier Foundation