Information security needs to be regularly audited, the way companies’ finances are
The Industrial Revolution led to the creation of several new professions, including public accountants. Thanks to Digital Revolution, we’ve seen the rise of information security auditors. Yet independent auditing of the information security is not widely regarded as being as essential for the proper functioning of a business as annual financial audits. Thankfully, I do not believe this will true by the time I retire.
Information security can be a matter of life and death
Finland is experiencing an obscene reminder of the life-or-death importance of information security. Vastaamo, a private psychotherapy center that delivers counseling through the country’s health care system, had its records hacked over the last couple of years. In October, criminals sent emails that threatened the publication of private records if Vastaamo’s patients did not pay a ransom demand that doubled after twenty-four hours.
This case demonstrates how the potential exposure of hacked information can cause serious harm, potentially even lethal harm. To avoid future case like Vastaamo, there must be appropriate information security controls for all systems that process sensitive personal data.
So much data to audit, so little time
Currently, security audits are conducted , but only by organizations that recognize the importance of assessing cyber risks. I believe in the future—ideally, the near future—these data audits will be considered as routine and necessary as financial audits are today. However, this will not be possible if we expect government regulators to do the auditing.
Reijo Aarnio, the recently retired Finnish Data Ombudsman, estimated that it would take 10,000 years to do a first full audit of all the systems that process personal data in Finland using current Data protection authority resources. Information security auditing by government officials would be as bad idea as replacing independent financial audits with an annual inspection by government tax collectors.
What smart security auditing would look like
We need both international standards, certification bodies and regular inspections of information security in critical systems. From other sectors, we know that authorities should accredit certification and inspection bodies. They can also participate to requirement and standard development, but this should be led, preferably, by standard setting organizations who follow WTO “Six Principles”. Certification and inspection should be performed by independent private certification bodies. Automation will play a crucial role in information security audit—not only for cost control, but also to guarantee timely inspection and thorough coverage.
Corporate decision makers need to understand that if you don’t test your products, someone will do it for you–whether you want the help or not. Vulnerabilities will inevitably be discovered and if it isn’t your organization or a testing provider, it could be a hacker or a bot crawling the internet for weaknesses or an attacker wishing you harm. That’s why all systems and devices that connect to the internet should be tested by a trusted independent entity.
Yes, this creates new obligations for business. But as we’ve seen in the Vastaamo case, time and cost concerns are no excuses when it comes to protecting the most valuable asset there is—customers’ data.