High profile data breaches are rarely out of the news, it’s therefore no surprise that information security is at the top of every IT Director’s agenda. I am often asked what constitutes the biggest risk of a data breach’. There are of course many risk factors associated with keeping information secure, and it would be overly simplistic to say that employees are the biggest risk, they do however require careful management.
Systems, processes and procedures are used by people, and people are human, they make mistakes. And there are plenty of opportunities for people to make these mistakes; from phishing emails, insecure personal devices, transferring information by email, taking sensitive information home even leaving documents on printers, it’s a minefield!
So what can you do to mitigate the risk?
There are a number things you can do support your employees and help them to be more security aware when dealing with information.
Security awareness in your recruitment, selection, appointment and induction programme
Start as you mean to go on. Set the standard of how your business operates from the outset. Ensure that information security responsibilities are detailed in your job description and make it the first thing you cover in your induction. Get employees to read and sign off on their understanding of your company policies and procedures and make sure they understand the consequences of breaching those policies
Create robust and concise policies and procedures
Make sure your policies and procedures accurately reflect how your business works and make them concise. If you expect your employees to follow them they need to be straightforward and easy access and implement.
Conduct regular updates and refresher training
Make information security a core part of your business. Ensure that regular updates and refresher sessions take place, record attendees in a register and don’t let remote workers slip through the net. We often find that it is the long-term more experienced members of staff whose actions raise non-conformance’s on internal audits, and the new recruits are more security aware having recently undergone training.
Accept no exceptions
We’ve all been there, a file that has to reach a customer urgently, a proposal that needs to be delivered to deadline. Don’t ever let these situations become reasons to bypass security protocol. If your Senior team ‘work around’ information security policies and procedures then don’t expect your employees not to follow! It’s a recipe for disaster.
By Graham Henstridge – ISO Certification Director