Information security expert, Ukrainian Mykola Kostinian mainly works with media and non-profit organizations, providing advice on their information security issues.
He is convinced that a lack of financial means is no reason not to have information security, as there are organizations that help media outlets.
“It’s not a matter of money; you don’t need money to protect your email. Protected are those organizations that are well-managed, not those that have greater financial means.”
According to Kostinian, to ensure its information security, a media organization must have a discussions with management and a few key staff members, and do a risk assessment once a year.
“First you have to understand what to protect. Probably the data and communication in computers, on servers, or in email, as well as the website should be protected from hacking and attacks.
“From whom and what the data should be protected should also be decided. For example, from competitors, who can organize a DDoS attack, or from police, who can come one day and seize the organization’s computers. A list that includes all the risks must be compiled at the meeting.
“After identifying the risks, you should assess their likelihood and consequences, then separate, for instance, the five main issues, which only after they are resolved can you move to the secondary issues.”
According to Kostinian, following the meeting is a security audit, which preferably an invited organization conducts. It must assess to what extent the media organization is protected from risks.
“The audit will check how realistic these risks are; it may find that the organization is already protected from certain risks. Then the audit makes recommendations — both technical (the use of passwords on computers or having special access to email) and managerial (determining procedures).
“When a decision is made on which recommendations can be implemented, they are implemented, after which a final audit is carried out. For example, if a decision is made that passwords must be of a certain length, it’s checked by reviewing employees’ passwords, sometimes several times a year.
“This process of meeting, assessment, audit, implementation, and oversight must be repeated every year.”
To organizations wanting to work according to international information security standards, Kostinian recommends becoming acquainted with ISO 27001standard, which is called “Information security management system.”
And those media organizations that are unable to follow all the rules, Kostinian provides some basic advice:
- Use licensed operating systems and programs. There are international organizations that can help media organizations to acquire these programs and systems: Internews, TechSoup. You just have to contact them.
- Absolutely ensure the security of your email.
- Have a dedicated employee for the website, who will periodically monitor its functionality: updates, defense, and identification of attacks.
- Have a system administrator who works proactively to monitor computer activity.