Content

The Human Factor

Every month SC Magazine publishes product reviews, providing the latest information on the solutions available to secure your systems.

The money and the development that goes into producing these new technologies, for the security market in particular, are vast. Likewise, the expenditure by organizations across the world that purchase their goods is immense. With all this technology, and huge budgets spent annually, what would you consider to be the weakest point in most IT systems?

Maybe you think you've got your security all sewn up? Spending thousands of dollars to ensure that your privacy, and that of your clients, partners and customers, is protected may pay off. It may also ensure that you and your organization have fulfilled the legal obligation to mitigate damages, should the worst happen - but are you sure you've covered the whole ball game?

Let's assume you've got every avenue covered: a strong IDS system to combat unwanted activity; gateway protection for incoming and outgoing electronic mail and its associated attachments to protect against unsavory mailings. Then your firewall is configured for ultimate performance, and security holes are well and truly plugged. You know your organization has the best back-up system money can buy, the web server is solid, and your access control is second to none. You have even installed both an auditing and a policy manager over your network to ensure that you can control who does what and where, and the reports they generate are extensive, but is it enough?

With even the most sophisticated and up-to-date security solutions at your disposal, and regardless of who delivers your security (in-house or contracted out to a managed service provider), you may still have a large and potentially catastrophic hole in your otherwise tight security. The important thing in any secure system is to identify any potential weak spots and to map out what, if anything, can be accomplished in a bid to tighten this danger area. So what is this weak point? And how do we ensure that it is adequately dealt with so that it can no longer undermine overall security? If everything is done to secure the network and the plan is followed to the letter, then the chances are that the one remaining weak point in your organization is the human factor, your workforce, and possibly you yourself!

If you haven't educated your employees about their part in the company security strategy then you haven't closed every door and you can't consider your corporate environment to be a secure one. This shouldn't be a 'tell-all' exercise in which you divulge company secrets and open up the void further, but an opportunity in which to provide all of your employees with just enough knowledge to help them to help you. With this knowledge they can become proactive in tightening the security around them. Or if they flagrantly ignore these issues, dare we say it, it gives you a bigger stick to hit them with. Where an employee acts in a naive manner, because they know no better, who do you blame? However, an employee who has been given the correct training and who then compromises your security willfully, can have no defense, and it's another way to tackle the inside issues that account for the majority of security breaches.

So what does it take? From the accounts department down to the cleaning and maintenance division, regardless of their education and their position in the company, it is important to involve them and to get the message across. Even those who do not directly use the computer equipment may be able to do their bit. Take the employee tasked with emptying other employees' waste paper bins. These may contain critical data - printed out and now discarded. If they don't know paper should be burnt or shredded, and it lands up on the street in bags awaiting the garbage collector, who's to blame when it falls into the wrong hands? What a simple way for a dishonest employee to smuggle business-critical files out of the premises!

Therefore, a simple yet effective approach to total security may include the introduction of some form of on-going security awareness training, for all. This training could include the need for vigilance in and around the workplace. Empowering all employees to be aware of their role and that of their colleagues, in relation to your enterprise security, should be an easy thing to put across. Say someone appears in the building to repair a piece of equipment. Once on the office floor, who will challenge them? Security-conscious employees would, and if the face isn't familiar they may save a bogus maintenance engineer from walking off with vital data or equipment.

Simply explaining the basics, such as what a computer virus is, how it is spread and what can be done to remain virus-free, is going to make them more aware. Next time they receive one of those internal emails with an amusing attachment, they may ask themselves - where did it originate from, and is it safe? There are plenty of topics to cover, from precautions needed when traveling with a laptop, down to storing passwords and PINs in electronic equipment such as a PDA. The problem is that because the IT staff have had to become security conscious they blindly think everyone else is too. But the office staff may only see the anti-virus vendor's logo on start-up and not realize everything else is seamless and transparent.

The good news is that this could be the most cost-effective security that you ever put in place. It doesn't have to be heavy stuff - keep it light, informative and to the point. It can be accomplished in-house, on a monthly basis, involving separate departments or your entire workforce. Literature can be produced by the IT department. It shouldn't take long and once generated, the material can be re-used for induction purposes with new employees as they join your team. By empowering your staff in this way, it may discourage those who were able to slip things out of the office, misappropriate company assets and basically get away with it. With everyone aware of the dangers, now their colleagues may identify suspicious actions, which they had previously been oblivious to, or it may just raise the stakes enough to put them off. It's possibly the cheapest way to close ranks against the enemy - both the one you know about, who has cost you thousands in expensive hardware and software purchases, and the one sitting next to you, day-in, day-out!

Jayne Parkhouse is reviews editor for SC Magazine (www.scmagazine.com).

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.