Sitting at the new international airport in Bangalore, I was thinking about the hue and cry the new airport raised. Of course, the fundamental problem was not the airport in itself, but the connectivity from the Bangalore City to the airport. But, unfortunately, the airport ended up as the villain of the piece. Readers from India, may be familiar with the whole story.

In spite of all the issues that is raised, I am sure that it is only a matter of time before the airport proves it’s worth. The simple reason being that for “1″ negative aspect, there are a “100″ other positive aspects to the new airport.

Sometimes, information security works in the same manner. For the end-user information security means “restriction”. This means restriction of internet access, email, where you can go within the company, where you cannot go etc. Hence, initially, similar to the Bangalore airport, the acceptance is low. But over a period of time, people start seeing the positives. Some of the positives of good information security are,

• More business, because customers are more confident
• This means, employees get more rewards (pay, promotions etc.)
• More business means, the company earns more respect, which in turn makes employees proud and gather more self esteem

Good information security has many intangible benefits that people should see through. Of course, a good information security manager will be able to see this and slowly guide his workforce through the period of change. Just like the new Bangalore airport

Anup

The cross section of the story
 Let’s go to that in detail, we are not concerned about the man or his wife, our only concern is the reason for this. As I told he had the best security system in place but he was not able to ASSERT the working. He had security guards against the intruders but he never checked the credentials or integrity. He had several traps and controls also but was not able to preserve the confidentiality of the same. This is the case of Information Security with many organizations. They have the worlds best Access Control in place they will have the best Firewalls, IDS, or let say the best technical & process controls in place. So obviously they will have a feeling that we are 100% secure and our information has no chances for leakage. In fact the truth is that, they are most vulnerable to attacks. Now the question is, if it is not technical controls or processes what is the factor that influences Information Security to the greater extent. It is the HUMAN FACTOR, nothing else. As you all know in the early times, war was with weapons like stone, sword and Knife later it was transferred to Guns and missiles, as technology advanced then came the nuclear warfare and now it is the time of Information Warfare. 

Firewalls, Antivirus, IDS & Myths 
In today’s business, for any organization, information is the primary and critical asset. It is this information that keeps the company exists in its competitive world. So if the company cannot preserve the Confidentiality, Integrity or Availability (we Information Security professionals call it the CIA) this means that the organization cannot exist in their domain. If the company needs to preserve the CIA of the information they should understand the influence of the Human Factor. If they can understand this, we can say that they started knowing Information Security. Many Organizations have a feeling that if they have a Firewall, Antivirus and an IDS in-place, they are safe from attacks and they have achieved 100% Security. This is completely wrong. Technical controls can contribute a mere 10% to Information Security. Deploying technical controls is the easiest part in Information security; the most complicated part is of-course the human intervention. Whatever processes you implement and defenses you build, if the users have zero awareness on the CIA of information they handle, all you do is a waste. That is why organizations are spending more money & resources in User Awareness, Training etc. 

Information Security – Where should it start from?
 Information Security of any Organization should start from the employees. The employees should know the seriousness of the data they handle and of course the value of it too. Many organizations has a false believe that an ISO (Information Security Officer) and a Security Team will make the organization secure, you can’t expect the Information Security Officer to make your organization 100% secure. ISO is like all other employees, he has limitations. So if you need the organization to be secure, the employees should work together for the common objective of achieving a 100% security (Although 100% security is a myth, at least the organization will be at its best to preserve the CIA of the information it handles). 

Employee background check 
Proper background check should be done for employee prior to the appointment. Performing verification for the sake of doing it won’t be of any use. (This is what most organization does).The verification should track his past employment, the reason for leaving the past employer, criminal track records and his family background. 

Employee Training 
The employees should undergo awareness programs & training for Information security and the most important thing is, this should be interactive, nobody likes long trainings packed with solid technical & process stuff, instead it should be made interesting with case studies, role-play. There should be methods to measure the current awareness level of the employees on Information Security. This can be done by of test or interviews. The training calendar should be prepared for the year and of course information security should be a part of the induction process 

Security needs innovative thinking and creativity 
The security team should think from the basic level, perspective or I would rather say that InfoSec team should come down to the employee level. This is where the real expertise of an information security professional lies. He should be able to communicate in their wave length. You can’t expect an employee in the assembly line to have knowledge on social engineering. But it is possible to educate them on social engineering, for this the team should find out their own strategy. The training should be a continuous process. The training program should be modified according to time and needs.  
To conclude, an organization that realize information security and not as a show piece will have their policies and processes lined up to meet these challenges.

Thomas Kurian Ambattu

Observing the traffic in Bangalore, you realize something important that you can apply for information security awareness management. Almost all drivers in Bangalore are “AWARE” of the traffic rules and that is the reason why they have passed the driving license exam and received their licenses.

But “AWARENESS” does not necessarily translate into BEHAVIOR (see the image above).

This is the situation with Corporate Information Security Awareness programs too. They focus very much on creating awareness through training sessions, posters, emails etc. But, how often do they go beyond awareness to check whether the awareness translates into “Behavior”.

Anup

The team at whatsyourisq.com has created a simple video that illustrates the steps that can be taken to prevent laptop thefts. Please share this video with your workforce to improve laptop security awareness. (Click on the image below)

Thank You,

Anup Narayanan

iPod is widely used by people and many of them bring it to the workplace. iPods have massive storage capacity and it can be used as a channel to steal corporate information.

Read more on IPod: Entertainment or Information Security Threat?

Read more on work from home security….

Gary spent some time answering questions posted by Asok Ramachandran, security researcher for whatsyourisq.com. The questions covered a broad range of aspects associated with information security awareness. Continue reading…… Interview questionnaire for Gary Hinson

Asok: Tell us a bit about how you became interested in the “human aspect of information security” i.e. information security awareness?

Gary: It’s something that developed gradually over the course of my career in the field of IT governance (information security management, IT audit and IT risk management). The audit work, in particular, led me to realize that “computer problems” are in fact almost always “people problems” - usually mistakes or misunderstandings by the people that designed and developed software, and sometimes staff and management issues around the way the systems are specified and used. Read more on the importance of information security awareness - Interview with Gary Hinson

Read more on Finding security bugs in our brain

Read more on - (Blu-Ray and HD DVD) Gigantic storage devices come with a solution for security

Click here to go to the article.