The Human Element of Information Security
In Part One of this series, I laid out data breach statistics that were at best startling, and at worst downright terrifying. Thankfully, a large percentage of the data breaches discussed were preventable, and there are lots of lessons to be learned from them that can help you protect your organization.
In Part Two, I want to discuss the human element of information security. After all, it’s not just the technical side of data privacy and information security that presents some complexity.
I think part of the problem is that people are unaware of the relative simplicity of some forms of hacking, and how common it is. A classmate of mine shared a story from his college days: an IT professor, trying to stress this very point, turned on a wifi sniffer in class, took control of one of his student’s computers, and posted on the student’s Facebook wall. Our professor told us that the average YouTube user could learn basic hacking skills in just a couple of hours (though he didn’t recommend it as a hobby, of course.) And sure, hacking a Facebook profile isn’t such a big deal, but what if he’d instead accessed the student’s bank account or credit cards?
Take this article, How To Not Get Hacked at the World’s Preeminent Hacker Conference, written by Lucy Teitler, for example. You may be rolling your eyes – how many of us spend time in a room full of hackers on a regular basis? The point is, probably all of us, without even knowing about it. What follows is some of the security advice Lucy received at the conference:
“You’ll probably be fine so long as you don’t use ATMs or wireless and try to use your cell phone as little as possible.
Don’t send any text messages you don’t want someone to read. Don’t open any links in text messages, even if they come from people you know. One of the cohorts, I’m informed, had already received a text from her husband that contained a link with a virus.
Make sure your wifi, Bluetooth and cellular data are all turned off.
Do not, under any circumstances, use the free conference wifi. Don’t access anything on your phone that has a password that you don’t want other people to find out. And, to be extra safe, bring a burner laptop.”
So how often have you used the wifi in a public space? Used a password protected app in a Starbucks? Sent text messages you would prefer for others not to read? Since I am guilty of all of the above, I will join you as you skulk in security shame. We might as well write our credit card info on our foreheads committing such utter security sins.
But let’s take this further for a minute: if we’re so bad at protecting our own data, how are we supposed to protect confidential company data?
Your Information Security Master Plan
Fear not, brave readers. Remember this statistic: 89% of breaches were preventable. Looking back, that’s a depressing statistic, but looking forward, it’s a hopeful one. I’ve put together the following information security plan to help you protect your organization, using everything I’ve gleaned from my IT class and the dozens of articles I’ve read.
In this post, we’re going to cover the basics – simple security protocols you can implement via your information security training, security awareness training, policies, and procedures.
Here’s an overview:
- Implement simple security awareness training
- Chat with the IT department and learn about how your company is managing mobile devices
- Ensure your IT policy is written in comprehensible language and is easily accessible (Part 3)
- Find out if your company conducts regular security and access audits, as well as device inventories, and where it stores them (Part 3)
Security Awareness Training: Keep It Simple, Sister
Like I mentioned earlier, this post is all about the basics. One blog estimates that training can reduce information security losses by as much as 75%. 75%! Educating your employees is one of the easiest, most impactful things you can do to prevent breaches.
I’m not a technical genius, even though I consider myself pretty computer savvy. However, when I went through my security awareness training, and then my MBA class, I was blown away by the fact that I didn’t know how important it was to do a few simple things, such as shutting down my laptop at night (something I’d previously never done.) Here’s a list of simple security protocols you can pass on to your employees:
- Lock your workstation any time you leave your desk
- Don’t ever leave a company issued device (or security badge, for that matter) in a vehicle
- Turn off your computer at night – don’t put it in hibernate or sleep mode, shut it down
- If you can, unplug your computer at night
- Don’t give out personal or corporate data via email unless you know the person you are sending it to and have verified that you are sending it to their company-issued email address
- Make sure you have a secure password: 76% of breaches involved weak or stolen account credentials
Mobile Device Management
It’s likely that your IT department handles your mobile device management, but it’s important for you to know what capabilities they have in this regard, since mobile devices make up a significant portion of cybersecurity risk. Even if you’re not in charge of implementing these protocols, it’s helpful to be aware of them and to be familiar with the terminology for conversations with your IT department.
Two statistics back me up on this: 1) 75% of compliance officers are not involved in cybersecurity risk management, and 2) “Thirty-five percent of organizations had a data breach as a result of a lost or stolen mobile device, which included laptops, desktops, smartphones, tablets, servers and USB drives containing confidential or sensitive information.”
I’m assuming you want to get more involved in cybersecurity risk management since you’re reading this article, so here’s a slightly more technical list of security measures, all of which are features of a solid mobile device management tool:
- Remote wipe capability
Do you have the capability of wiping all data from company issued devices, whether smartphone or laptop, remotely? For example, your employee goes to a conference and loses his smartphone, which happens to be tied to his work email and likely contains sensitive, if not confidential, data. Your IT team should be able to remove all data from this device regardless of where the device is physically located.
- Device encryption
Most MDM suites will allow you to encrypt the data on devices, whether by enabling the built in capability, such as that on iOS devices, or by adding it to devices that don’t.
- Lost device procedure
Some tools will allow you to track a lost device, cutting down on equipment replacement costs and data loss. Of course, remote wipe should be available as a backup, just in case the device can’t be found. Remote lock may also be available, which buys some time for the employee to track down the device.
- Password Protection
Enforcing solid password protection is one of the easiest ways to keep your data safe. Your MDM can remind users to change passwords regularly, what the components of a strong password are, and make sure that password protection is enabled every time the device is locked or left unused for a certain period of time.
If your mobile device management solution doesn’t have these capabilities, it might be time to find a new provider.
Conclusion of Part Two
The best take away from all the articles I read was this:
I’m making that my personal cybersecurity mantra – breaches happen, but it’s up to us to be aware and do our part to protect our organizations, not to mention our personal data.
I didn’t list all the articles I consulted for this post, so reach out to me on LinkedIn if you’d like the full list. Check back for Information Security Training Master Class Part 3 for the rest of the strategies you can use in the battle for data privacy, information security, and security awareness within your organization.
For More Information About Information Security Training, Check Out These Resources:
- Blog: 4 Cases Where Security Awareness Training Could Have Saved The Day
- Blog: From Russia With Love: ‘Do svidaniya’ Peace Of Mind, Hello Information Security Training
- Blog: Information Security Training Can Even Save Your Grandparents
ON DEMAND WEBINAR | Cybersecurity 2014: The Impact on Global Companies
Download “Cybersecurity 2014: The Impact on Global Companies,” featuring Lisa Sotto, Partner and Chair of the Privacy and Security Practice for Hunton & Williams. Lisa will discuss the state of cybersecurity in 2014. You will learn cybersecurity best practices, the current state of data privacy legislation, and what to do in the event of a data breach.