Current Issue
January 2024 Issue
Read digital flipbook
Read PDF
Get notified for updates
Past Issues
Read digital flipbook
Read PDF
Get notified for updates
Past Issues
Contents
More
Popular Topics
Digital transformation
ESG
Sustainability
Corporate finance
Work life balance
Metaverse
FinTech
Taxation
Ethics
SMPs
Diversity
Anti-money laundering
Cryptocurrencies
POPULAR READ
A purpose-driven profession: Interview with Roy Leung
From extraneous to essential: Charting the rise of ESG assurance in Hong Kong
Good CG, good ESG: Winners of the Best Corporate Governance and ESG Awards 2023
Columns / How to

How can firms ensure better information security?

Author
Roger Lo

Roger Lo, Senior Manager of Risk Advisory, BDO, on what firms and employees can do now to safeguard their digital data

Bookmark
Text size: A+A-
Author
Roger Lo
July 2021 issue

Flipbook version
PDF version
Share

Data protection has become a must for companies of all sizes, especially in recent times. With cyberattacks on the rise, and hackers becoming more sophisticated in their ways, protecting an organization – and its digital information – against potential breaches can sometimes feel like a never-ending game of cat and mouse. 

Take ransomware, which is a type of malicious software that hackers have been using since 2013 to hold digital information. Arguably, it hasn’t been taken seriously enough in terms of its impact on a company’s critical data and IT infrastructure, and has therefore become a top choice of malware for criminals. In 2020, the total amount of ransom paid by the victims reached nearly US$350 million in cryptocurrency. This is a 311 percent increase over 2019, according to a crypto crime report from software company Chainalysis. While there is a lot of money at stake, cyberattacks like these can also take a serious emotional toll on those involved.

So why isn’t every company protected? Firstly, protecting a company against a hack is costly. It is labour-intensive to perform a root cause analysis, for example, and assure its whole IT infrastructure is no longer vulnerable. This requires IT security experts, and not every company has one. Then how can we protect data and a company’s critical IT infrastructure? While information security will inevitably require investment, it’s better to be prepared in the first place, as the benefits will far outweigh the potential damage caused.

Protect against data breaches, and also detect cyber threats

Businesses can develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event before it takes place. With reference to the United States National Institute of Standards and Technology (NIST) Cybersecurity Framework 800 series, businesses should first have control of and access to their digital and physical assets. They should also have processes, procedures and policies put in place to secure data, maintain baselines of network configurations and operations, and to also repair system components in a timely manner. These controls are not only very useful for large businesses but also those new to information security, such as small- and medium-sized enterprises.

Examples of protection controls include:

  • Increasing staff awareness through education and role-based training.
  • Ensuring information security protection is consistent with the business’ risk strategy to protect the confidentiality, integrity, and availability of information.
  • Implementing necessary information protection, processes and procedures to maintain and manage the protection of information systems and assets.
  • Protecting business resources through maintenance, which includes remote maintenance activities.
  • Using protective technology, and ensuring the security and resilience of systems and assets are consistent with policies and agreements.

Businesses should also implement the appropriate measures to quickly identify data security events. The NIST Cybersecurity Framework also suggests businesses should set up continuous monitoring mechanisms that detect suspicious activity so that other threats to operational continuity are contained. A business should have visibility into its networks to anticipate a data breach incident and have all information and resources at hand to respond to one. Continuous monitoring and threat-hunting are very effective ways to analyse and prevent cyber incidents in the first place.

Examples of protection controls include:

  • Ensuring anomalies and events are detected, and that their potential impact is identified by conducting reviews of audit logs on a weekly or more frequent basis. The log should include sensitive data access, including modification and disposal.
  • Implementing continuous monitoring capabilities to monitor information security events and verify the effectiveness of protective measures including network and physical activities.
  • Ensuring that the company implements recovery planning processes and procedures to restore systems and/or assets affected by information security incidents.
  • Implementing improvements based on lessons learned and reviews of existing strategies.
  • Internal and external communications are coordinated during and following the recovery from a data security incident.

Are you prepared for better information security?

Developing an information security programme is not a one-off effort; it needs to evolve within the ecosystem in which it exists. It is also no longer just an IT issue, as this evolution requires a variety of stakeholders to contribute. For example, accountants, who are domain experts in business, can help to assess IT risks by looking at various business cases and processes. With this assessment, an information security strategy can be established.

But bear in mind that it can be difficult to achieve 100 percent protection, as a determined and skilled hacker can and will eventually compromise a system to a certain extent – especially when firms of all sizes are much more vulnerable with the rapid acceleration of online transactions and digital transformation today. So the most important question is perhaps not “how good is your protection?” but rather, “how much have you prepared for a data breach?”

cybersecurity
Data security
POPULAR READ
A purpose-driven profession: Interview with Roy Leung
From extraneous to essential: Charting the rise of ESG assurance in Hong Kong
Good CG, good ESG: Winners of the Best Corporate Governance and ESG Awards 2023
Sign up for the e-newsletter and never miss an issue
Add to Bookmark
Text size
A-
A+
July 2021 issue
Read flipbook version
Read PDF version
Related Articles
cybersecurity
Navigating personal data privacy and security in the age of digitization
April 2023
Ada Chung, Barrister and Privacy Commissioner for Personal Data, on why companies need to proactively safeguard the security of personal data
Data security
What do China’s new data security laws mean for companies?
December 2021
Experts chime in on the latest developments in business and accounting
cybersecurity
How can firms ensure better information security?
July 2021
Roger Lo, Senior Manager of Risk Advisory, BDO, on the steps companies can take to prevent cyberattacks
Advertisement
We use cookies to give you the best experience of our website. By continuing to browse the site, you agree to the use of cookies for analytics and personalized content. To learn more, visit our privacy policy page. View more
Accept All Cookies