The Many Layers of Information Security

Companies should start their protection with the basics – they will get you far. Critical data can only be effectively protected if business management also understands the basics of information security.

Although perfect protection from cyber threats is impossible, you should always do your best. The new documentary series by DNA Business presents an overview of the basic concepts and solutions.

DNA Business information security expert Petri Ramu emphasises the importance of protecting the boundary layers of the network i.e. those between the public internet and the company's local network:

"Protection should start with the basics. First, protect your boundaries and their services. Next, protect the vital systems surrounding the core business, as well as the connections of those systems. This is enough to reduce the risks significantly and secure the company's valuable data."

Personnel should also be trained. The awareness of the personnel about information security risks is directly proportional to how easy it is for different threats and attacks to penetrate the company's systems. Protection is more than technology and expertise; it is also everyday practices and operating models.

"Maintaining information security is a continuous process. It is not just about imagining risks and threats, but rather a solution-focused approach to information security," says Ramu.

The protection of networks relies heavily on situational awareness. Situational awareness allows the events of the network to be understood. If there is no clear picture of the events in the network, security breaches cannot be detected or isolated. The company can use their situational awareness to determine if their critical data is threatened.

"Companies should understand which processes are the hard core of their business, and therefore what data or information is the most critical. It is easier to set up protection when you know where your defences should be concentrated," says Ramu, describing the difference between critical and non-critical company systems.

This is also precisely why the company's business management should be up to date on information security: it is their job to determine what information must be protected to safeguard the core business processes. This allows experts to build systems that have the correct levels of protection.

Sometimes, critical material is hard to identify and external specialists may be required.

Cyber threats are constantly increasing and evolving. For example, the use of networked consumer products in denial-of-service attacks will increase without a doubt. To compensate, companies should seek help from partners and service providers so they can have adequate protection against these new cyber threats," says Ramu, commenting on the future operating environment.