May flowers … planning security for the future

Having secured your operation against the security issues seen in April and reviewed in my last blog post, how do you assess the robustness of your organization to defend against the ongoing threat environment in May and through the summer?

It is difficult enough for an organisation to determine its exposure to security threats, such as have been seen in the last couple of months. It is often harder to establish guidelines and policies around the handling of different types of information flowing through the many channels of your business in a robust and defensible way. A simple risk based approach can be used to develop these policies and ensure that your organisations are protected as much as possible.

The analysis can be done very quickly and simply by a small team.

First, look at the types of information that may have been affected, breaking them down into broad categories, for example

  • Contracts
  • Plans and Strategies
  • Client confidential information
  • Bidding documents for deal A
  • Marketing information
  • etc.

Like any risk based approach for each of the above categories you need to consider two dimensions.

  • Likelihood – how likely is it that the information has been compromised? A simple scale of Unlikely/Likely/Very Likely should be considered.
  • Consequence – what are the consequences if the information were to be compromised. You should consider financial and reputational impacts to yourselves and where appropriate your clients. A simple scale of Low/Medium/Significant is in most cases sufficient.

If this is plotted as a simple matrix it is possible to assign a risk to each combination of likelihood and consequence, and to devise mitigating actions for those information categories that have a high risk.

For each of the assessed risks it is important to take appropriate mitigating actions, for example as shown below. The mitigating actions are best worked out as a workshop session.

Critically the risk matrix can also be used to categorise your information and decide on its use, storage and techniques for distribution, especially electronic. This can minimize your exposure to future threats and demonstrate to your clients the effectiveness of your information security controls.

Again a simplified example of a set of strategies for information handling could be.

Such a review can be completed in about a day using a small team and can provide invaluable input to dealing proactively with information that may already have been compromised, or to define a future strategy for handling information.

Having an effective strategy for management of your information is vitally important since two things are certain

  1. ~ Clients want their information quicker and at a location and on a device of their choosing. Cloud based distribution of information is going to remain.
  2. ~ Valuable information will be of interest to other parties and techniques for stealing that information will only increase in sophistication.


Safe4 will continue to provide a top level of security for all confidential documents stored by its customers within their overall security strategy.

I hope this summary has been useful and will enable you to use the March Winds and April Showers of the recent security scares to bring forth a May flowering of a robust security environment for your documents.

Please respond to this blog or contact us at with any questions or comments.