Strong security is not just about technology. You can buy the strongest, most expensive safe in the world but if you don’t keep its combination secret, it's useless. The same is true with data protection. Your company might have bought state-of-the-art encryption technology but it's unlikely to be effective if your employees are not security-wise.
We make security versus productivity trade-offs every day, which means regular security training is critical for keeping both company and customer data safe. For example, should an employee use an encrypted USB stick if they are accessing confidential documents via a hotel’s business centre PC? Would your staff notice and raise the alarm if an SSL browser session to a cloud-based business service was intercepted? What additional precautions are necessary when travelling overseas? What are the risks associated when using a cloud-based meeting service?
Here are some top tips for making your staff security-wise:
Build a culture of good personal security
Advanced Persistent Threats tend to start with criminals going after high reward targets: administrators and staff with high-levels of access to applications or data. LinkedIn, Twitter and Facebook can be used by canny attackers to identify and obtain background information about these individuals. Good Enterprise security really does start with good personal security. Companies need to educate and empower staff to make sensible information security judgements when responding to emails or sharing job-related information via social media.
Don’t conflate security and productivity
IT departments too often rely on Acceptable Use Policies and technical measures such as web security products to “enforce” good security practices. Avoid mixing security and productivity policies in a generic set of abstract restrictions: staff will be less inclined to circumvent technical controls and are more likely to respect policies during their lunch break if they understand the rationale and threats behind the corporate Acceptable Use Policy.
Enforce dual control
To remain secure, companies of all sizes need to enforce strong dual control for the most sensitive operations. Even if you have unbreakable cryptography and completely trustworthy staff, attackers can go after a “super users” as they represent a single point of attack with the potential for very high reward. For example, if software-based encryption is used, a systems administrator often has access to data encryption keys. If the administrator’s account is compromised by a successful social engineering attack then your past, present and future data may be vulnerable and exposed while you still believe it is safe. Therefore ensure that control by more than one person is required in order to access sensitive data or to provision sensitive encryption keys.
Keep data classified
With today’s fibre optic broadband speeds and huge memory capacity in every mobile or portable device, massive amounts of data can leave an organisation within seconds. Encourage all staff to classify and apply protective markings to sensitive assets to help them make good information security judgements. If sensitive data is properly classified, employees can know when it is safe to read a document on a personal iPad and when a spread sheet should only be edited via a remote desktop to reduce its exposure. With the advent of BYOD, organisations may want to consider providing staff with subsidised security products for home use (potentially as part of an enterprise PKI which can issue digital certificates and enforce limited trust).
Train the trainers
Finally, make sure that IT staff, PC support, administrators, and other staff who have regular contact with employees receive regular security briefings. IT staff are often the key to developing a culture of proactive security both through formal training and by demonstrating and cascading good security practice in their daily interactions with end users.
Effective long term security requires a shift in mind-set that can only be achieved when regular staff training is a priority. The way we configure and use information technology is just as important as the choice of security products and policies. While the return on investment for security is notoriously hard to measure, regular training as part of a balanced and holistic approach to security will deliver greater incremental benefits per pound or dollar spent than security strategies that rely on technology and security products alone.