Protecting your company online begins with ensuring your employees are prepared to assist in keeping your computers and networks safe.
Information security is a process that moves through phases building and strengthening itself along the way. Security is a journey not a destination. Although the Information Security process has many strategies and activities, we can group them all into three distinct phases - prevention, detection, and response.
The ultimate goal of the information security process is to protect three unique attributes of information. They are:
- Confidentiality – Information should only be seen by those persons authorized to see it. Information could be confidential because it is proprietary information that is created and owned by the organization or it may be customers’ personal information that must be kept confidential due to legal responsibilities.
- Integrity – Information must not be corrupted, degraded, or modified. Measures must be taken to insulate information from accidental and deliberate change.
- Availability – Information must be kept available to authorized persons when they need it.
Attacks compromise systems in a number of ways that affect one if not all of these attributes. An attack on confidentiality would be unauthorized disclosure of information. An attack on integrity would be the destruction or corruption of information and an attack on availability would be a disruption or denial of services.
Information security protects these attributes by:
- Protecting confidentiality
- Ensuring integrity
- Maintaining availability
An organization succeeds in protecting these attributes by proper planning. Proper planning before an incident will greatly reduce the risks of an attack and greatly increase the capabilities of a timely and effective detection and response if an attack occurs.
The best security technology in the world can't help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. This will involve putting practices and policies in place that promote security and training employees to be able to identify and avoid risks.
A firm’s security strategy will only work if employees are properly trained on it. Therefore, the importance of providing information security awareness training cannot be understated. The goal of an awareness program is not merely to educate employees on potential security threats and what they can do to prevent them. A larger goal should be to change the culture of your organization to focus on the importance of security and get buy-in from end users to serve as an added layer of defense against security threats.
Once you have buy-in from employees, your focus can turn to ensuring they get the necessary information they need to secure your business. An effective security awareness program should include education on specific threat types, including but not limited to:
- Social engineering
Another important area to address is the importance of password construction and security. Seems minor? It’s not. Believe it or not, password cracking is remarkably easy, particularly for advanced hackers. And this ‘minor’ step that users take every day could make a significant difference in protecting your firm’s sensitive information.
Talk to Your Employees About
- Keeping a clean machine: Your company should have clear rules for what employees can install and keep on their work computers. Make sure they understand and abide by these rules. Unknown outside programs can open security vulnerabilities in your network.
- Following good password practices: Making passwords long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, along with changing them routinely and keeping them private are the easiest and most effective steps your employees can take to protect your data.
- When in doubt, throw it out: Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source. Employees should also be instructed about your company's spam filters and how to use them to prevent unwanted, harmful email.
- Backing up their work: Whether you set your employees' computers to backup automatically or ask that they do it themselves, employees should be instructed on their role in protecting their work.
- Staying watchful and speaking up: Your employees should be encouraged to keep an eye out and say something if they notice strange happenings on their computer.
Information Security Awareness Program
A good Information Security Awareness Program highlights the importance of information security and introduces the Information Security Policies and Procedures in a simple yet effective way so that employees are able to understand the policies and are aware of the procedures.
Listed below are some of the methods used to communicate the importance of Information Security Policies and Procedures to the employees.
1. Information Classification, Handling and Disposal
All information must be labeled according to how sensitive it is and who is the target audience. Information must be labeled as “Secret”, “Confidential”, “Internal Use Only” or “Public”. Documents that are labeled “Secret” or “Confidential” must be locked away at the end of the workday. Electronic information (Secret or Confidential) should be encrypted or password protected. When the information is no longer required, documents should be shredded while files should be electronically shredded.
2. System Access
No sharing of UserID and password is allowed and staff are made aware of their responsibility on safeguarding their user account and password. Staff are also provided with some useful Password Tips on how to select a good password.
All computers must have anti virus software installed and it is the responsibility of all staff to scan their computer regularly. All software and incoming files should be scanned and staff are advised to scan new data files and software before they are opened or executed. Staff are educated on the importance of scanning and how a virus can crash a hard drive and bring down the office network.
Staff are advised that they are responsible for their own personal computer backup and they should backup at least once a week.
5. Software Licenses
Software piracy is against the law and staff are advised not to install any software without a proper license.
6. Internet Use
Staff are advised that Internet use is monitored. Staff should not visit inappropriate websites such as hacker sites, pornographic sites and gambling sites. No software or hacker tools should be downloaded as well.
7. Email Use
Staff should not use the email system for the following reasons
- Chain letters
- Non company sponsored charitable solicitations
- Political campaign materials
- Religious work, harassment
- And any other non-business use.
Staff are allowed to use the email for personal use but within reason.
8. Physical security of notebooks
All notebooks should be secured after business hours in a cabinet, in a docking station or with a cable lock.
9. Internal Network Protection
All workstations should have a password protected screen saver to prevent unauthorized access into the network. For those using, Windows 7, they should lock their workstation. To prevent staff from downloading screen savers from the Internet, you can restrict the screen savers to the default ones which come with Windows 7.
10. Release of Information to Third Parties
Confidential information should not be released to third parties unless there is a need to know and a Non Disclosure Agreement has been signed. It is the responsibility of all staff to safeguard the company’s information.
Training materials should also review corporate policies and clearly detail consequences for any suspicious or malicious behavior amongst employees. For your convenience, we’ve compiled a variety of information on various security policies, including:
- Acceptable Use
- Social Media
- Bring Your Own Device
- Security Incident Management
Dos and Don’ts
A Dos and Don’ts checklist is given to all new staff upon joining company. As it may be sometime before they attend the actual security training, the checklist would be a good and easy way for them to learn about what they should and should not do. The information in the checklist is listed below.
- Do not share your password with anyone including staff
- Do not write your password on any paper, whiteboard or post it pad
- Do not use easy to remember words as passwords e.g. Aug2001
- Do not use personal information or any word in any language spelled forwards or backwards in any dictionary
- Do not visit inappropriate web sites e.g. pornographic or hacker web sites
- Do not download unlawful or unlicensed software from the Internet
- Do not install unlicensed software onto your computer
- Do change your password regularly for every system.
- Do use a combination of letters, symbols and number for passwords
- Do use difficult passwords which are at least 6 characters long
- Do enable your Screen Saver Password or lock your workstation
- Do scan your computer regularly for viruses and any diskettes as well before you use them on your computer
- Do check that your virus software patches have been updated when you receive the regular update emails from Desktop Support
- Do backup your data at least once a week. It is your responsibility to do so.
- Do lock away all confidential documents, files and diskettes at the end of each work day
Training Your Employees
Training employees is a critical element of security. They need to understand the value of protecting customer and colleague information and their role in keeping it safe. They also need a basic grounding in other risks and how to make good judgments online.
Most importantly, they need to know the policies and practices you expect them to follow in the workplace regarding Internet safety.