Information Security FAQs - CQR Consulting

We don’t have a security system in place – what is the first thing I should do?

Information Security systems vary greatly depending on the size and type of organisation you are. At a fundamental level your first step should be to identify and protect your most valuable information assets. Securing this information may not be the easiest job in creating a security system but it is the most important.

Is it possible to be 100% secure?

The short answer is no. Security is a process not a destination. The threat landscape continuously evolves so controls and mitigation methods must evolve with it. There is also the question of balance. Organisations need to find an acceptable balance between security and availability. A system that is completely locked down may be safe but may impede the business if people can’t access the required information.

Do I really have to spend money on Information Security?

If your organisation doesn’t want their private, sensitive and corporate information public then yes. Many organisations don’t realise how valuable their information is. The reality is that businesses store all kinds of valuable information including client details, business plans/models, financial details, product development, employee details, records, reports, etc. If this information is not adequately protected the impact of a security incident could be disastrous.

If I buy an application or data system doesn’t it have security built in?

To a point this is true but you shouldn’t rely on it. The reason the Information Security industry exists is because technology is not naturally secure. When a product is developed and released people start trying to exploit it and in many cases they are successful. Until developers start taking a very serious approach to security, users will have to employ after market security techniques.

What happens if I don’t comply to the PCI DSS?

There are big risks for non-compliance. The financial consequences of non-compliance are kept confidential between merchants and their acquiring banks. Sanctions placed on non-compliant organisations may include higher transaction fees, on-off fines, monthly fines or even termination of the ability to process payment cards. In the event of a breach organisations also face the potential loss of reputation, loss of customers and litigation.