Johannesburg, 19 Jan 2006
The Ernst & Young Global Information Security Survey last year revealed that end-user security training was the number one problem inside large organisations. Yet less than half of the respondents said their companies had a formal training programme to meet that threat.
How stupid can you be? Surely common sense should prevail and basic employee awareness about the threats and risks to business should be a standard practice in all companies?
It is imperative, according to Patrick Evans, regional director of Symantec Africa, that employees are educated on the correct processes to follow when handling company data and in so doing, become a "human firewall" and part of an organisation's first line of defence.
By far the biggest challenge when implementing security policies and procedures, is managing the human risk factor and ensuring staff are educated and informed, he acknowledges. "Unless properly educated," says Evans, "it can be relatively easy for hackers and other criminals to gain access to corporate systems by tricking staff into providing them with information."
This "social engineering" is an important tool for hackers the world over and refers to the process by which a hacker takes advantage of normal human behaviour such as a willingness to help, understanding, curiosity and innocence. The hacker or "social engineer" flatters, dissembles, adapts to his counterpart, flirts, passes compliments, pleads, begs or threatens to ensure that he obtains what he wants.
Unfortunately, according to Evans, companies are under an illusion that if they implement a modern security system it will completely protect company information from any misuse.
He believes that staff should be trained to ask the following basic questions on a daily basis to assess their level of security consciousness:
1. Are people always who they profess to be?
2. Do I allow strangers access to secure areas of the company?
3. Do I assign a value to my password?
4. Do I keep diskettes and CD-ROMs with company relevant information as secure as I do important documents?
5. Do I use a password-protected screensaver when I leave my workplace?
6. Can other people look over my shoulder when I am working at my computer?
7. Do I lock away notebooks, printouts, or books with important information about the company?
8. Do I destroy documents with information relevant to the company in a shredder, as soon as I no longer need them?
9. Do I sometimes leave important documents in the copier or the printer?
10. Do I discuss topics relating to the company in public?
"No firewall, advanced virus protection or intrusion detection system can secure the 'weak spot' represented by negligent or careless employees and security is not an exclusive domain shared by system administrators and security guards. While specialist security technologists are crucial, they must be supported by security-conscious members of staff who behave appropriately," Evans concludes.
Share