Everyone is responsible for information security

The world of information security is, arguably, the fastest evolving sector of the IT industry. If only we had our very own stormtrooper to guard our data and information when we are away!

It is no exaggeration to state that new exploits are written every day, and the InfoSec community responds to these threats with no less rapidity. As the field continues to evolve, we can rarely go a few short months without a game-changing exploit dropping, or sensitive, personal information being stolen by malicious agents.

We live in a world where information security is paramount.

We cannot ignore that 68% of security incidents are caused by user error, with an average of 50% caused by simple negligence.

The responsibility for information security is incumbent on every member of an organisation. Here we share 5 relatively simple steps to take to ensure that everyone in your organisation understands the importance of security and takes the necessary actions to deal with threats and avoid a breach.

1. Training

The first step in strengthening the human element against security threats is training. When the responsibility falls on every single person, it becomes paramount that these people know and, more importantly, follow information security guidelines.

As security threats are in constant flux, our guidelines must also change along with them. Ten years ago, an 8 character alphanumeric password would cut it. Today, thanks to modern techniques and more computing power, 12 characters could be considered a bare minimum. Moore’s Law also suggests that, in another 10 years, we may well be looking at 16 or 24 character passwords at a minimum.

2. A Secured Toolkit

The most common breach, as well as one of the most dangerous when we talk about the human effect on information security, comes not out of malice but familiarity. The use of tools with known security flaws and defects.

Many IT security professionals will have heard the same. “But I’ve used <program> for years.” Familiarity may cause people to use older, insecure versions of programs for the sake of convenience.

3. An Open Conversation

The single most important aspect of information security when dealing with the human element is an open conversation. A flowing dialogue back and forth. Within security, open nature is a virtue despite how this might seem like a contradiction.

We can explain with an example from a cornerstone of security, the VPN.

VPNs are virtual private networks that allow computers scattered across physical space to all connect to the same network. Two common VPN protocols are SSTP and OpenVPN. SSTP is a proprietary Microsoft protocol while OpenVPN is open source.

SSTP’s code has never been released to the public, and as such, no independent review of its security can be performed. By contrast, OpenVPN can be confirmed secure by the creators of the protocol, as well as the Open Source Community who have sifted through every line of code.

The open dialogue is so important. The closed, restricted approach creates an adversarial workspace. An atmosphere of ‘Us vs Them’, with Us being the IT security staff and Them being everyone who feels constricted by untrusting regulations.

4. The Environment of Security

The third-party environment is often seen as a wheel and spoke architecture, and from a single point-of-view, this is technically correct.

However, when looking at the picture from a higher level, we can see an interlinking of networks and services. Outlook for email; Amazon Web Services as a hosting supplier; Oracle and Salesforce to supply our Marketing Automation platforms.

Any company, even a third-party, requires the interlinking security provided when each and every link in the chain lives up to the same security standards.

5. Monitoring

While information security is incumbent on every member of an organization, so too is the responsibility for reporting breaches. Once an employee is taught the rules, it is on them to ensure they follow them, and to report any breaches they may notice. As before, it’s an environment of trust and trust flows both ways.

This, by no means, suggests that the job of information security is over with training. Not only does the InfoSec professional have to act as the interface for the open conversation we discussed before, but they also must monitor the networks, servers, and even the usage of IT devices.

As the Russians say: Доверяй, но проверяй. Trust, but verify.

Photo by Liam Tucker on Unsplash