Expenditure on information security policies, procedures, technologies and people is escalating and yet security breaches are still frequently reported with rising costs. We have to ask, why?
Extensive research has thrown out one possible cause of these prevalent security breaches; senior management. Articles, blogs and tweets can be seen every day with strap lines such as ‘CEO facilitated security breach through lack of training and infrastructure’ or ‘senior management choose not to take part in security training.’ Higher management are stubbornly refuting their responsibilities in this area and the general consensus appears to be that staff at the bottom of the corporate pyramid are the only ones capable of making the human errors which cause costly breaches.
Recently there was a case of an executive requesting that his PC be connected to the another companies network, as he was on the board of directors at said company, this risky procedure was performed against company policy. The belief is that some people believe they are too important to adhere to basic Information Security best practises.
All businesses manage a wealth of personal information each day, personal details which if dumped on an open source website could cause mayhem; email addresses and phone numbers could lead to numerous spam emails and nuisance calls and we all know the consequences of bank details going astray.
The fact is that beneath the surface of your organisation is a goldmine of information which without information security training, strong firewalls and some careful thought from employees is primed for a simple attack to breach the network with leakage of critical information being the end game.
Some of the most devastating examples in recent times were the Target breach, with costs upwards of one billion dollars and of course, the Edward Snowden leaks.
There are numerous areas which need to be improved, but let’s start with the basics:
1. It is important secure behaviours are practised from the canopy, right down to the grass roots. If Information Security Training is a mandatory requirement, management should be seen to be supporting completion. If you have ever seen ‘The Elevator Experiment’ this is a great example of how peer pressure can affect behaviours. When staff see that everyone is making a change to their day to day practises, they will be compelled to do the same.
2. Middle level management, such as team leaders and shift managers should display secure behaviours and regularly reinforce the important of protecting data to their staff. Displaying posters and other supporting materials around work areas is a great way of keeping those secure messages at the forefront of staff’s minds.
3. A risk register will help identify vulnerabilities, threats to vulnerabilities and the risks associated. A register should reflect who is responsible for each risk and what action is being taken to combat the vulnerabilities; senior management should also perform quarterly reviews of the register.
Changing mind sets and every level of management is vital to enhancing the human firewall, for further information on how we can help you to protect your vital information assets, just get in touch.