Hall, who founded information security software company Infogov, says: “Information and security management is really founded on knowing the value of information to the company.”
That applies to big and small companies, although the types of problems they face are typically different. “Small companies generally understand the business inside out and know what’s important. The thing they suffer from is technology problems and they often don’t have the right expertise,” he says.
“Most large organisations tend to equate information security with IT, and they tend to outsource a lot of their IT. If they’ve got the culture that risk management is all about IT, they think they’ve delegated risk management as well.”
Hall says it’s also important to follow best practice. “Best practice means going through the right process to work out what the business requires, and it should start by doing a risk assessment on the business to understand what’s important. Then it’s about identifying the risks that company is exposed to and putting controls in place.”Related article: Data protection: the government’s double standards