All it takes is just one human element in the system to compromise everything. Wherever there is a human element, there is always a risk of potentially catastrophic mistakes.
Be it the increase in Cyber activity generally or legislative activity around things such as GDPR and the NIS Directive, there’s no ignoring the rising importance of information security in business risk management and planning. Historically, IT has been the go-to department when it comes to information security, yet over the past twelve months, Forfusion has seen a shift in opinion, whereby we now talk about security in the context of the perfect balance between people, process and technology.
In giving consideration to each of these elements, and understanding the relationship between them intimately, you have the best chance of making your business a better and safer place to work. Towards the end of 2017, the impact of the people element became headline news on more than one occasion, and it’s worth looking at this in a little more detail.
It only takes a single human in the system to change everything. Regardless of whether the individual is an employee, a contractor or facility staff, company security culture needs to be inclusive of all personnel. But how?
The reality is that IT security can be perceived as negative, designed to limit the amount of control employees have over systems and their equipment. This can lead to employees bypassing security measures that are in place so that they can maintain productivity whilst at work.
Ironically, if an employee requires increased privilege or additional tools to maintain their work efficiency, they should feel able to discuss it with security staff, and IT staff should welcome employee requests, as this is often the ideal opportunity to engage and educate.
Additional measures such as training and poster campaigns provide guidance for employees to protect their work environment, and everyone should be encouraged to carry these behaviours into their home environment. This is especially pertinent for remote, or occasional home workers.
The work/ home boundary is more complex than ever before; social media networks are frequently used for both personal and business objectives interchangeably, often blurring the line between the two environments. This cross-over can be risky and a divide needs to be created and maintained via the implementation of Acceptable Use Policies, which are a must in order to protect both the user and the company alike.
Security knowledge in employees should never be assumed, nor considered common sense; creating an educational environment is just as important as incorporating a culture. The simple adage; tell me, and I will forget; educate me, and I will remember; involve me, and I will understand proves useful when discussing IT security. Telling employees that phishing emails are bad does not help them to identify or understand the risks involved. Taking apart a phishing email and showing employees why it’s dangerous will provide education. Running phishing assessments with instant feedback can involve and engage employees whilst also providing education.
Don’t presume to dictate to employees, they often know their job better than you do. Instead, think about open discussions and learning groups which will engage them and, better yet, may reveal anomalous events or behaviour previously unknown to the organisation.
In conclusion, the human firewall needs to be understood to be effective. Its utilisation is an asset to your company; you just need to turn it on.
Phone: +44(0) 191 500 9100