Dealing with the dissemination of security threats (page 6 of 6)

After all, it's not technology you're trying to protect; it's knowledge and business processes. But there must be a balance - you're no good to anyone if your front door is permanently bolted.

Solutions:
• Make sure you know if you have a security policy in place. If you do have one, make sure employees are trained on the policy - don't just rely on an 'I Agree' click on a login screen

• Incident response procedures should be put in place that define the plan of action for given incidents:

• Identify who does what and when.

• Identify what systems might be effected and plan recovery methods.

• Any procedure must cover all function areas, not just IT. e.g. brand/PR, HR, customer relations, etc.

• Educate users on their responsibility to notify a nominated person of any abnormal activity, but don't rely solely on this. Ensure you have monitoring software in place, such as intrusion detection, to ensure you are always alert, and proactive rather than reactive.

• Look at your IT employee structure, the roles they have to undertake and their administrator rights - make sure they only have rights to resources that are needed to do their specific role.

• Make sure you calculate what you need to secure and allocate IT budget accordingly. Don't just rely on a ballpark figure of 1% of the IT budget - you will never know that 1% will be enough.

• To see how good your security is, take a look at www.humanfirewall.org where you can benchmark how you're doing against peers in your industry.

The Seven Deadly Sins of Security
Finally, remember that there are many reasons why systems are breached, but some are more common than others - so move to block these and the risk is minimised. Most find their roots in the following areas:

1. Gullibility
Anything from people pretending to be someone else to gain information to be used e.g. via phone calls, to users sending out sensitive documents to other parties who may not be all that they seem.

2. Curiosity
Generally the case of people entering systems where they should not be, not necessarily out of malice, more like inquisitiveness.

3. Courtesy
For example, holding a door open for unknown person at swipe card entry point, therefore allowing them to bypass security; or giving your password to a third party without really questioning why they may want it.

4. Greed
A desire for intellectual or monetary gain from illegal entry to systems or pure theft.

5. Diffidence
Such as allowing people to look over your shoulder while you enter a password.

6. Thoughtlessness
Security should always be at the front of users minds. If it's not, then there's a real risk of compromise.

7. Apathy
A failure to shred documents, a lack of caution where outsiders are concerned; in general, the "it's not my responsibility" attitude.