With more and more data getting electronic, and with more and more data going on line, information security is becoming a vital discussion and area of concern for organizations, federal agencies, governments, even individuals.
Because of this, many organizations have been spending a certain amount of effort and
time in conducting awareness training, and, coming up with ways to make
people more aware with hoardings, sign boards and what not. This is done
to take the best short-cut approach in making their most vulnerable
asset for information security, their people, educate and realize the
pros & cons, and to preach awareness about how responsible they
should be.
But lets be honest to ourselves? Have we been
successful? There are still cases I hear knowing organizations,
colleagues, friends, acquaintances compromising their vital information
and getting hooked, whether be their own personal credit cards,
documents and what not!
I believe that a well presented training
and awareness program does invoke thoughts about aspects of information
security and realization of being secured, but it CANNOT ensure how the
attendees may take that very invoked thought ahead and if they can
really implement the thoughts in their lives, unless and until they
happen to witness an incidence themselves!
Through this article, I
am trying to open a thought process, where we think beyond just
training and awareness campaigns, but infact implant the very practices
in their people.
Everybody
is aware about wearing a seat-belt while driving and helmet while
riding, everybody is aware about the fact that smoking tobacco is
injurious to health, everybody is aware about the benefits of having
good food habits, exercising daily and waking up early. Awareness exist,
but practices does not.
As health is important for people to
think about, similarly, information security is equally important for
organizations to maintain their competitive edge, confidentiality of
their data, integrity of their organizational practices, and
availability of resources and data as and when required.
By and large, following are the gaps with training and awareness programs:
- Training programs are not aligned with the risk assessment that has identified the potential risk areas to the business and organization;
- Success of majority of training programs are immeasurable;
- Majority of training programs are unrealistic and based on generic aspects i.e. they're not tailor-made;
- Focus is more on presentation, or as a periodic practice of just having a training program but not on what people want.
So what next?
Simple. Just three aspects:
- Conduct risk assessment to identify risks;
- Target behavior change;
- Prepare a yearly timeline and set realistic targets;
- Engage people personally.
Lets get realistic. Lets start putting efforts in the right
direction, because you anyways are or you anyways will have to.
Remember, precautions are always easier than corrections! The awareness
has to be embedded in the most important and most vulnerable asset of
the organization - human resource i.e. people, and at certain stages in
some organizations, this has been.
For example, when was the last
time, you changed the password of your LinkedIn, Facebook or Twitter
account? That's because LinkedIn or Facebook doesn't prompt you to
change passwords every 60 days! But, if you work in an organization,
where the password is set to be changed in every 60 days, you will do
it, and there's no other way out to avoid it. But again, every
organization doesn't has this practice implemented or is been restricted
to certain users; but they will always talk about securing their data
and pass-coding their machines / workstations through passwords!
Tail-gating,
phishing emails, malware attacks, you've been talking about it in your
training, but no one takes it seriously. Implement practices to curb or
catch hold of people to train them that they are doing it wrong.
For
ex: create a dummy account, send an email which looks like a phishing
mail, see how many open it. Call those people and then train them, that
it is not the correct practice and they shouldn't be opening emails,
make them aware about the real time incidents of how the accounts of
even many CEOs, CTOs were compromised because of phishing emails and the
consequences, ask them to report such emails to the network monitoring
team (or whosoever can take care of these aspects in the organization).
You
see an unlocked workstation, click it and then tell the custodian that
you were abut to send his resignation letter to his boss with a pinch of
humor.
I believe Information Security is one of the most
discussed and challenging subjects for organizations, federal agencies,
and governments, but at the same time it is one of the most easiest
practice to secure the information, only if you follow the basics and
the under-lying processes efficiently. The most basic fundamental about
information security is the fact that it all depends on the custodian
themselves to realize how vulnerable they're and it is them who must
follow and embed culture around them to become immune to any InfoSec
attacks! It is like snow and rains, which is targeting everything around
you, but if you have the right gear, you will walk without feeling a
pinch of it.
No comments:
Post a Comment