When speaking about information security, the first thing everybody thinks of is IT itself, the PC, network or server used. The people sitting in front of the machines and their importance for security are often overlooked. But most of the serious security problems are initiated by people (think of the recent hack at Sony) and any attack is made easy by people not using the security features provided by their machines.
Any organisation should pay sufficient attention on the people working there. One of the most important aspects of a successful information security programme is awareness. Without awareness, people will not understand why security is necessary, will see the controls in place as disturbance and will try to circumvent the existing measures without understanding the potential damage this might be causing. It is clearly not enough to publish policies and procedures on the Intranet – nobody will read them! Instead, it is worthwhile investing in an awareness campaign, maybe using videos, games or anything else that makes the originally boring topic security interesting and entertaining. Furthermore, it is important to keep the efforts for awareness going; any pause will result in an immediate decrease of awareness and the way back is difficult and even more work and resource intense.
Whilst awareness and motivation are necessary, they are not the only measures an organisation should take to secure the work of its employees. An organisation needs to know what its employees are doing, e.g. how they are using email and Internet, and whether this usage is not compromising the organisation. A disciplinary process helps if somebody is deliberately misbehaving, but should always be objective and fair.
There should also be a set of rules that all people in the organisation have to follow, such as:
- Careful selection and handling of passwords – are you using password is like a toothbrush: change it frequently and don’t share it?
- Confidential information should not be lying around openly – would you like your credit card details to be public knowledge?
- Careful use of USB sticks – do you know whether they are virus-free and how other people will use the USB stick?
- Report anything unusual through the reporting channels provided – how can an organisation react to a problem if nobody knows about it?
- Identifying information that needs protection – if you are working with information, you know how important it is, how could somebody else specify this importance without your input?
- Responsible use of email and Internet – are you aware of the risk of malicious software, phishing, spam and bad Internet sites?
- Protecting information when travelling – how many people have forgotten documents, phones or laptops in taxis, trains or planes?
A very important topic here is the right choice and use of passwords – as annoying as it is for the users, the concept of accountability is necessary for information security and that can only be assured if every person has a unique user account only they have access to. Machine generated passwords might be secure, but they are very difficult for people to remember, and a good password written down is also insecure… The organisation should help people by giving advice on how to construct good passwords, which is not so difficult: just think of a sentence and using a combination of first and last letters, or “redesigning” a word using special characters [e.g. $e(ureP@ssWord]. The right management of passwords (frequent change, avoiding re-use of old passwords, etc.) is also important. Given the various challenges with passwords, a good solution might be to move to biometric identification and authentication techniques – it is difficult to forget your index finger at home.
With all these controls in place, people can be what they should be for the organization: they are important assets without which no organization can work successfully!