Sunday, November 30, 2014

Information Security - More about Implanting Practices Than Just Awareness & Training

With more and more data getting electronic, and with more and more data going on line, information security is becoming a vital discussion and area of concern for organizations, federal agencies, governments, even individuals.

Because of this, many organizations have been spending a certain amount of effort and time in conducting awareness training, and, coming up with ways to make people more aware with hoardings, sign boards and what not. This is done to take the best short-cut approach in making their most vulnerable asset for information security, their people, educate and realize the pros & cons, and to preach awareness about how responsible they should be.

But lets be honest to ourselves? Have we been successful? There are still cases I hear knowing organizations, colleagues, friends, acquaintances compromising their vital information and getting hooked, whether be their own personal credit cards, documents and what not!

I believe that a well presented training and awareness program does invoke thoughts about aspects of information security and realization of being secured, but it CANNOT ensure how the attendees may take that very invoked thought ahead and if they can really implement the thoughts in their lives, unless and until they happen to witness an incidence themselves!
Through this article, I am trying to open a thought process, where we think beyond just training and awareness campaigns, but infact implant the very practices in their people.
Everybody is aware about wearing a seat-belt while driving and helmet while riding, everybody is aware about the fact that smoking tobacco is injurious to health, everybody is aware about the benefits of having good food habits, exercising daily and waking up early. Awareness exist, but practices does not.

As health is important for people to think about, similarly, information security is equally important for organizations to maintain their competitive edge, confidentiality of their data, integrity of their organizational practices, and availability of resources and data as and when required.
By and large, following are the gaps with training and awareness programs:
  • Training programs are not aligned with the risk assessment that has identified the potential risk areas to the business and organization;
  • Success of majority of training programs are immeasurable;
  • Majority of training programs are unrealistic and based on generic aspects i.e. they're not tailor-made;
  • Focus is more on presentation, or as a periodic practice of just having a training program but not on what people want.
So what next?
Simple. Just three aspects:
  1. Conduct risk assessment to identify risks;
  2. Target behavior change;
  3. Prepare a yearly timeline and set realistic targets;
  4. Engage people personally.
Lets get realistic. Lets start putting efforts in the right direction, because you anyways are or you anyways will have to. Remember, precautions are always easier than corrections! The awareness has to be embedded in the most important and most vulnerable asset of the organization - human resource i.e. people, and at certain stages in some organizations, this has been.
For example, when was the last time, you changed the password of your LinkedIn, Facebook or Twitter account? That's because LinkedIn or Facebook doesn't prompt you to change passwords every 60 days! But, if you work in an organization, where the password is set to be changed in every 60 days, you will do it, and there's no other way out to avoid it. But again, every organization doesn't has this practice implemented or is been restricted to certain users; but they will always talk about securing their data and pass-coding their machines / workstations through passwords!
Tail-gating, phishing emails, malware attacks, you've been talking about it in your training, but no one takes it seriously. Implement practices to curb or catch hold of people to train them that they are doing it wrong.

For ex: create a dummy account, send an email which looks like a phishing mail, see how many open it. Call those people and then train them, that it is not the correct practice and they shouldn't be opening emails, make them aware about the real time incidents of how the accounts of even many CEOs, CTOs were compromised because of phishing emails and the consequences, ask them to report such emails to the network monitoring team (or whosoever can take care of these aspects in the organization). 

You see an unlocked workstation, click it and then tell the custodian that you were abut to send his resignation letter to his boss with a pinch of humor. 

I believe Information Security is one of the most discussed and challenging subjects for organizations, federal agencies, and governments, but at the same time it is one of the most easiest practice to secure the information, only if you follow the basics and the under-lying processes efficiently. The most basic fundamental about information security is the fact that it all depends on the custodian themselves to realize how vulnerable they're and it is them who must follow and embed culture around them to become immune to any InfoSec attacks! It is like snow and rains, which is targeting everything around you, but if you have the right gear, you will walk without feeling a pinch of it.