Jun 23, 2014
What's do you think the biggest risk to information security is? Outdated firewalls? A lack of antivirus software? Poorly developed software applications? Insecure networks? They're all big problems, but the biggest risk to information security in your organisation is a different threat altogether. It's the people.
- The careless IT technician who throws away all your development team's old computers, without destroying the hard disks.
- The receptionist that lets anyone wearing a high visibility jacket into the server room.
- The chief executive that takes over a thousand confidential documents home on a USB stick, and plugs it into his infected computer.
- The marketing team member that sends all of your software logins to a colleague via insecure email from a coffee shop.
You can see where I'm going. People cause even the most well developed information security systems to fail, and all the security software and hardware in the world won't save you from these problems.Thankfully, there are things you can do to minimise these risks.
Minimum Security Training for All Staff
If your staff are never trained in basic security best practices, they will never learn them. Can you really expect your receptionist to come into the job knowing everything there is to know about social engineering and information security? Or your chief executive to fully understand the risks of taking confidential documents home?With even the most basic training, you can eliminate a lot of the people risks your organisation faces. If your organisation hasn't implemented basic security training before, it's well worth watching our video in partnership with the Ponemon Institute and PCI Council on educating staff with limited budgets, maintaining good data security practices and more.
Appropriate Access Permissions
It's quite simple. Don't give information access to inappropriate people. Only allow each member of your organisation access to the information they need to work. If a document is potentially damaging when released to the public (or competitors), you need to be even more careful.As data moves into the cloud, this becomes a growing challenge - fortunately applications like Box Business come with advanced permission management functionality out of the box. Don't let your employees store company documents wherever and however they want.
Clear Information Security Policies
If you want your employees to treat information security seriously, you need to have appropriate policies and processes in place. These policies need to be simple, and easily accessible to all employees. Some employees will need to be more stringent than others, so don't just create a blanket policy.If your security policies are extremely complicated, then they likely won't get understood, and therefore followed. Security is always a balance between minimising risk and maximising productivity, so be willing to compromise in places of lower perceived risk.Have any tips of your own for reducing the risk people pose to information security in organisations? Share them in the comments below.