Know Your Employee (KYE) – The Human Factor in Information Security
Posted on May 29, 2008
Filed Under Information Security Awareness |
The Man and his Beautiful wife
Once there lived a man who had a beautiful wife. The man was so concerned about the lady and dared to take her for parties or in public gatherings. He was afraid that someone will take his beautiful wife away .He got the best Security System in place to protect the house from Intruders. He had round the clock security for his house against trespassers. He planted several traps for Intruders around the place. But in spite of all these one fine morning he found his wife missing from his house and finally came to know that she was taken away by his servant. How did this happen? He had everything in place to protect his wife but still he lost her.
The cross section of the story
Let’s go to that in detail, we are not concerned about the man or his wife, our only concern is the reason for this. As I told he had the best security system in place but he was not able to ASSERT the working. He had security guards against the intruders but he never checked the credentials or integrity. He had several traps and controls also but was not able to preserve the confidentiality of the same. This is the case of Information Security with many organizations. They have the worlds best Access Control in place they will have the best Firewalls, IDS, or let say the best technical & process controls in place. So obviously they will have a feeling that we are 100% secure and our information has no chances for leakage. In fact the truth is that, they are most vulnerable to attacks. Now the question is, if it is not technical controls or processes what is the factor that influences Information Security to the greater extent. It is the HUMAN FACTOR, nothing else. As you all know in the early times, war was with weapons like stone, sword and Knife later it was transferred to Guns and missiles, as technology advanced then came the nuclear warfare and now it is the time of Information Warfare.
Firewalls, Antivirus, IDS & Myths
In today’s business, for any organization, information is the primary and critical asset. It is this information that keeps the company exists in its competitive world. So if the company cannot preserve the Confidentiality, Integrity or Availability (we Information Security professionals call it the CIA) this means that the organization cannot exist in their domain. If the company needs to preserve the CIA of the information they should understand the influence of the Human Factor. If they can understand this, we can say that they started knowing Information Security. Many Organizations have a feeling that if they have a Firewall, Antivirus and an IDS in-place, they are safe from attacks and they have achieved 100% Security. This is completely wrong. Technical controls can contribute a mere 10% to Information Security. Deploying technical controls is the easiest part in Information security; the most complicated part is of-course the human intervention. Whatever processes you implement and defenses you build, if the users have zero awareness on the CIA of information they handle, all you do is a waste. That is why organizations are spending more money & resources in User Awareness, Training etc.
Information Security – Where should it start from?
Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles).
Employee background check
Proper background check should be done for employee prior to the appointment. Performing verification for the sake of doing it won’t be of any use. (This is what most organization does).The verification should track his past employment, the reason for leaving the past employer, criminal track records and his family background.
Employee Training
The employees should undergo awareness programs & training for Information security and the most important thing is, this should be interactive, nobody likes long trainings packed with solid technical & process stuff, instead it should be made interesting with case studies, role-play. There should be methods to measure the current awareness level of the employees on Information Security. This can be done by of test or interviews. The training calendar should be prepared for the year and of course information security should be a part of the induction process
Security needs innovative thinking and creativity
The security team should think from the basic level, perspective or I would rather say that InfoSec team should come down to the employee level. This is where the real expertise of an information security professional lies. He should be able to communicate in their wave length. You can’t expect an employee in the assembly line to have knowledge on social engineering. But it is possible to educate them on social engineering, for this the team should find out their own strategy. The training should be a continuous process. The training program should be modified according to time and needs.
To conclude, an organization that realize information security and not as a show piece will have their policies and processes lined up to meet these challenges.
Thomas Kurian Ambattu
Comments
Leave a Reply