Today, a company’s value is based not solely on its physical and intellectual assets, but also on the information it holds and its capacity to use this information as a tool to meet objectives.  How, then, can information leaks to competitors be avoided? Ika (Yaakov) Atia, co-founder and CEO of an Israeli security consultancy company, and information security specialist, has some answers. 

The protection of information systems is a wide field that has to do with the protection of company information against the threat of leakages to the world outside its metaphoric walls.  In recent years, there has been an increase in the number of cases whereby internal information is leaked to interested parties, including industry competitors.  In Israel in the 90s there was a famous public scandal whereby two of the country’s largest newspaper houses illegally tapped each other’s phone lines.

It is widely held that the development of computer systems has radically affected the world over the past thirty years.  Oftentimes, the security of a company’s information is described as information security, which is inaccurate according to Ika (Yaakov) Atia, CEO and information security specialist.  Colonel Atia (Ret), who has a prominent resume in military intelligence, believes that information can be leaked not only digitally, but also through a company’s own employees, whose trustworthiness is a crucial factor that must be considered.

Why is information security such an important topic?

“Information is the primary asset in the activities of the modern commercial market.  Today, there is not a single commercial entity in Israel or around the world whose economy, corporate image or even legal position would not be affected by a leak to the exterior.  Today, most organizations, especially financial entities, tend to take initial, preventative measures to protect sensitive information from leaking to their competitors or other external parties.

“It should be noted that more than often a company’s information security is conceived as the protection of computers and database systems.  However, this practice alone is insufficient.  Oftentimes, important commercial information leaks to interested parties, including but not limited to competitors.  In the majority of cases, that leaked information cannot be found in information systems such as internal networks or databases.

How can one highlight or reinforce the issue to those who might not pay particular attention to the importance of information security?

“In the effort to avoid and/or reduce information leaks, companies must create a security mechanism based on a combination of activities that can be used to prevent and avoid these types of events.

“The key is to instill within the company an authentic culture of information security.  Some actions that should be taken include the physical compartmentalization of internal departments, limiting access to specified, classified information, installing technologically advanced security systems, shredding documents, supervising how and to whom information spreads internally, and training employees regarding the importance of this issue within the company.

“In defining its infrastructure, an organization must also take into account its suppliers and subcontractors, who may share information of critical importance.  It is so important to know your contractor, to understand if he is genuinely trustworthy, or conversely, leaking information because he is loyal to your competitor.

What role does the human factor play in the field of information security?

“It is no doubt that in security the human factor can prove to be either the strongest or weakest link in the chain.  The majority of information leaks are produced by a company’s own employees, whether intentionally or unintentionally.

“Therefore, it is imperative to emphasize that which, along with the information itself, constitutes an organization’s greatest asset: the individuals who work in the companies.  This should be highlighted throughout their employment. From the candidate’s screening process, where human resources should assess not only his or her professional resume, but also the individual’s trustworthiness, to the workday routine, where an authentic culture of information security should be implemented.

How can a candidate or employee’s trustworthiness be measured?

“Personnel integrity and trustworthiness are important factors that should be taken into consideration both before and after hiring.  These days there are tests and questionnaires that a specialist can interpret to assess ethical values, including integrity, lying, loyalty, or a tendency to steal or accept bribes, which could prove problematic for the company.  Unfortunately, oftentimes the urgency to fill a position means that a company may overlook this crucial step in the hiring process, only to pay for it – literally and figuratively - later.

Today, one of the most notable and most frequent threats in the field of information security is “eavesdropping” on a company’s communication system.  In recent years in Israel there have been several cases whereby companies have “eavesdropped” on each other.  One such case gained national publicity because it involved two of the country’s largest newspaper houses.  According to Atia, they are able to do so because technologic means have become an attainable and accessible tool to anyone who wishes to acquire them”.

When eavesdropping is detected, there are a series of phases that are followed:

• Carrying out a risk-analysis: studying the field before carrying out a test with the purpose of identifying weak points and to assess potential risks.
• Classifying the risks/threats according to severity, with the purpose of gathering the necessary resources and responding to specific needs
• An analysis of potential enemies: a study and analysis of potential enemies’ capabilities, in the context of the local market and past events.
• A physical site-survey.
• Providing the client with a formal report of the assessment, including general and technical recommendations to minimize risks.
• Training the client in basic guidelines for behavior to maximize security.
• PURCHASE THE ONLINE SECURITY MANAGEMENT COURSE