Humans are the weakest link in the information security chain
We’re all human: we make mistakes. Unfortunately, there will always be people trying to take advantage of our mistakes for their own benefit, which can cost our business tremendous financial loss. No matter how sophisticated our cyberdefenses are, how advanced our technologies are, how good our security practices are, we will always be constrained by this human factor.
What can we do about it? Well we can’t completely eliminate mistakes, but we can make them much less likely : inform, train and clarify what you are expecting.
Training operational teams in Information Systems Security
Operational teams (network, security and system administrators, project managers, developers, CISO, …) have privileged access to information systems. Inadvertently, by accident or simply though ignorance, they may carry out operations that generate vulnerabilities e.g:
- Using high privilege accounts when not necessary
- Using personal accounts to run services
- Choosing weak passwords for privileged accounts
In order to avoid such pitfalls, operational teams should be regularly trained about topics such as:
- Applicable law and regulation
- Main current risks and threats
- Authentication and access control
- Systems hardening
- Network segregation
- Logging and monitoring
This list is not exhaustive, and not all topics apply to all operational teams since obviously different Information Security skills are required for different operational teams. In addition, Information Security skills also depend on how security is integrated in the organization’s processes. For instance, the Information Security skills required for project managers and developers may depend on how security is integrated in projects.
Raising end-users’ awareness about Information Systems Security
The end-user is also an important link in the information systems chain. He/she should therefore be properly informed of potential security issues and of the rules regarding information security. In addition, he/she should be taught how to detect a security issue and how to adopt the correct behavior in order to mitigate the risk.
Information Security Awareness trainings should be given on a regular basis to all employees. They should be adapted to the target users, and can take different forms (e.g emails, posters, meetings, dedicated intranet space, eLearning, classroom instruction, …) and cover topics such as:
- objectives / challenges faced by the organization in terms of information systems security
- information considered sensitive
- legal and regulatory obligations
- security rules and the main procedures for daily activities (e.g compliance with the security policy, email security / phishing, using personal IT equipment, password protection, reporting suspicious events, clean desk / clear screen policy, …)
It is also recommended to produce an “Acceptable Use Policy” to define rules and set guidelines about how the organization’s IT resources may be used.
Oh and one more thing… in case of outsourcing, make sure to mitigate the related risks
If your organization wishes to outsource all/part of its information systems, a specific risk assessment should be performed prior to starting the outsourced service. The information security requirements for mitigating the risks associated with the supplier’s access to the organization’s assets should be agreed with the supplier and documented.
Such requirements may include, but are not limited to:
- description of the information to be provided or accessed and methods of providing or accessing the information
- legal and regulatory requirements (e.g data protection, intellectual property rights,
- obligation of each contractual party to implement an agreed set of controls including access control, performance review, monitoring, reporting and auditing
- information security policies relevant to the outsourcing
- incident management requirements and procedures (especially notification and collaboration during incident remediation)
- training and awareness requirements for specific procedures and information security requirements e.g. for incident response, authorization procedures
- relevant contact persons for information security issues
- right to audit the supplier processes and controls related to the agreement
Ultimately responsibility remains with the organization who outsources, so it makes sense to take reasonable steps to ensure that no unacceptable risks are introduced.
Other typical requirements can be found in the ISO/IEC 27002:2013 standard.
Making training really effective
One of the questions that often pops up when it comes to training is “Does eLearning work in comparison with classroom instruction?”
According to a scientific study compiled by Will Thalheimer, PhD in 2017, in terms of learning effectiveness, it is NOT whether the modality is Learning or classroom instruction; the learning methods are what make the difference. Realistic decision making, spaced repetitions, real-world contexts, and feedback—among other research-supported learning factors—produce better learning than straight information presentation. When learning methods are held constant between eLearning and classroom instruction, both will tend to produce equal results.