IMGCAP(1)]People by nature are curious, emotional and often gullible. That mix can be toxic when trying to keep a tight rein on information security.
If you’ve ever made a purchase that never made its way out of the packaging, or after opening it asked yourself why you ever bought it in the first place, you realize as humans we are susceptible to marketing hype and temptation the newest, shiniest object without always thinking our actions through before we indulge.
A similar mentality holds true for our daily work in the office. We want to trust, explore and learn. But when mixing those human impulses with what’s lurking in cyberspace, our curious nature can get us into trouble. As companies, we sometimes fail to account for this human behavior when it comes to security, and we largely ignore the weakest information security link in an organization: our people.
Companies typically pay very close attention to the process and technology aspects of maintaining IT security, but tend to overlook their own employees as an influential factor. Not too long ago, that approach worked in protecting data. Threats were eliminated once companies purchased anti-virus software and put up a firewall. This is no longer the case.
Cyber attacks are now more sophisticated. Once we effectively fortified our IT walls, hackers changed their strategy, and found a way to bypass our ramparts of protection. Today, attackers prey on the weaknesses of the human component. They rely on the predictability of people to breach those walls and all they need is just one weak link to infiltrate the network.
Humans are Fallible
Even with a solid information security framework in place, employees are always going to click on dangerous links. They respond to emails that look like they came from a colleague, and intentionally email co-workers classified information and passwords.
The more people in an organization, the more variance there is in levels of education and IT sophistication. The ways they use data and their levels of access span a wide range. Establishing rules and guidelines becomes that much more complex and important.
BYOD, or Bring Your Own Device, introduces a new layer of complexity, with employees accessing company data with their own technological devices like laptops, smartphones and tablets. Different platforms and architectures of these devices make it difficult to implement one uniform set of rules for everyone.
So how do we strengthen our weakest information security link? Keep the following practices, channels, and knowledge in mind:
- Implement a Security Policy: Create a comprehensive information security policy and be sure all employees understand and comply with it. It should include, for example, data classification and access, explanations of what’s allowed and what’s not, two-factor authentication and more.
- Data Classification and Access: Assign security levels to different categories of company information, such as public/non-classified, internal use, confidential and secret. These varying levels let employees know how sensitive information is and how to appropriately treat it. It also helps managers grant specific employees access to certain information.
- What’s Allowed and What’s Prohibited: Clearly state which actions are allowed and which are not. For example, never send passwords via email, under any circumstances. Instead, call a co-worker and verbally share the password.
- Two-Factor Authentication: A lot of companies are using texting technology as a way to require two-factor authentication, which requires the user to provide two means of identification in order to login to a system. Two-factor authentication utilizes (1) something the user knows, like a passcode, and (2) something they have, such as a personal cell phone.
- Assigning Responsibility: What’s the receptionist’s responsibility? The manager’s? Every member of an organization is responsible for something, so define it. It could be as simple a guideline as “Question everything. If you don’t know, here’s who to contact to ask.” Assign someone to keep up with changes as new threats emerge.
- What to do if a Device is Lost or Stolen:
- In the event an employee’s device is lost or stolen, instruct employees who to contact. There are applications available that can remotely wipe data off devices. However, these tools should not be used on personal devices without permission, so a strong BYOD policy is needed first.
- Utilize Social Media: Clearly share the guidelines for using social media platforms like Twitter, Facebook and LinkedIn, including what information can and can’t be shared via this media.
- Incident Response: Develop an incident response plan to ensure appropriate action if security is breached. Have this plan in place before a breach happens.
- Maintenance: Finally, create a process to ensure your information security policy stays current. Information security is ever changing, and you should update your policy regularly.
Train Employees
Management and employees must be educated, prepared and equipped with the tools to deal with a constant bombardment of new (and old) threats. Ongoing training is critical to ensure your entire organization is working together to maintain the company’s IT security.
Hold regular security training during on-boarding, and at least quarterly for all employees. Utilize lunch and learn sessions, mandatory online training and awareness campaigns to reinforce your security policies.
Real-world exercises are an effective way to train employees how to look out for and address threats. Conduct a phishing exercise as part of training. The key is to engage people in the training to increase effectiveness.
The Final Word
Security built on technology and process aren’t enough anymore. Hackers recognize the vulnerabilities that accompany the human element, and they are taking advantage of it. Until we can come up with a better way of providing security, people will continue to be a weak link. The best and least expensive way to combat this is through policies and training. Policies that clearly state the do’s and don’ts, and offer detail on how each employee plays a role in IT security, are absolutely critical in maintaining the integrity of a company’s information assets.
Training is necessary to ensure understanding of the policies. It’s our job to help employees recognize and address cyber threats; our information security depends on it.
David Barton is a principal at UHY LLP, and leads the Internal Audit, Risk and Compliance practice. His primary focus and expertise is in the areas of information security and technology risk and controls. Reach him at
