The Human Element of Information Security, Continued
In Part One of this series, I laid out data breach statistics that were at best startling, and at worst downright terrifying. Thankfully, a large percentage of the data breaches discussed were preventable, and there are lots of lessons to be learned from them that can help you protect your organization.
In Part Two, I discussed security awareness training basics and the importance of mobile device management.
We’re still talking about the human element of information security today, specifically your IT policy, internal processes, and all of the IT audits you need to make sure your organization is completing, both for compliance and security reasons.
IT Policy and Internal Processes
Make sure your policies are available for easy reference and contain material that supports your training. Does your policy give an overview of how devices are managed – as in, do your employees know that you can track a lost device, or wipe it if necessary? Is it written in language that’s easily understandable for employees of all levels of technical skill? The easier it is to understand, the easier it is to follow, hence why I now turn off my computer every night. I may not be a technical genius, but I can manage that.
You may also have internal procedures that aren’t necessarily shared with all of your employees – for example, do you have a documented IT procedure for when an employee leaves the company? What’s your process for deciding who has access to which systems? What’s your system for reviewing these access logs regularly? For updating anti-virus and anti-malware software?
Information Security Training: Audits Are Your Friend
The ultra-technical aspects of IT are not my strength, so I’m going to take my own advice and keep it simple here. Regular security and access logs are your friend. Security audits, as well as access audits, play a significant role in showing your commitment managing cyber security.
An access audit is simply a log of who has access to which systems within your company. This may include employees, contractors, partners, or other third-parties. It’s important for this access to be reviewed regularly so that former employees and former vendors don’t have access to your data. You also want to update access as legacy systems are phased out – there’s no reason to have access to a system that’s no longer being used.
You may also tie in your inventory of devices here. Devices include company-issued laptops, computers, smartphones, as well as the servers, routers, switches, wireless devices, modems, firewalls and other devices that your company uses to conduct business.
You may consider a third-party vulnerability assessment, also known as a penetration test. This is essentially paying a team of good guys to hack your systems and show you where the holes are before the bad guys get a chance. Your IT team may be able to perform these types of tests internally. CSO recently wrote an article about security awareness and a smaller budget organization that had to devise its own tests:
“We did a penetration test and within fifteen minutes, somebody clicked and gave out their credentials, and they [the penetration test team] were in from the outside… [A later test showed that] out of the initial run of a few hundred emails, Berlin said that she managed to get nearly 60 percent of the targets to enter their credentials.”
This will help you revise your training and security protocols to address these holes. Even the best technical setup won’t prevent your employee from giving away company data accidentally, so consistent training is key. Something our Head of IT, Todd Neal, does is send out monthly IT Updates, which are newsletters that alert us to the latest scams and security threats. As an employee, I like them because they’re helpful – they help me protect my personal data as well as the company’s.
Information Security Training vs. Security Awareness Training
One last note: there is a difference between information security training and security awareness training. Let me lay out the difference between the two – information security training is generally more rules based, done more for auditors who need to check a box for compliance, versus security awareness training, which tends to be on-going and focused on behavior modification.
That doesn’t mean one is better than the other – it just means they serve different purposes. Information security training tends to be performed yearly, often with a more technical focus, whereas security awareness training occurs throughout the year and teaches employees simple tips and tricks they can incorporate into their daily routine to increase their personal security quotient. All that said, most organizations will use these phrases interchangeably, and I will likely slip up and do the same, if I haven’t already, so please forgive me in advance.
I didn’t list all the articles I consulted for this post, so reach out to me on LinkedIn if you’d like the full list. Check back for Information Security Training Master Class Part 4 for the rest of the strategies you can use in the battle for data privacy, information security, and security awareness within your organization.
For More Information About Information Security Training, Check Out These Resources:
- Blog: 4 Cases Where Security Awareness Training Could Have Saved The Day
- Blog: From Russia With Love: ‘Do svidaniya’ Peace Of Mind, Hello Information Security Training
- Blog: Information Security Training Can Even Save Your Grandparents
ON DEMAND WEBINAR | Cybersecurity 2014: The Impact on Global Companies
Download “Cybersecurity 2014: The Impact on Global Companies,” featuring Lisa Sotto, Partner and Chair of the Privacy and Security Practice for Hunton & Williams. Lisa will discuss the state of cybersecurity in 2014. You will learn cybersecurity best practices, the current state of data privacy legislation, and what to do in the event of a data breach.