Earlier this year, a security firm called RSA was embarrassed by a major breach that led to information about its user authentication token technology leaking out.
The company not only faced a huge bill to physically replace its offerings, which were now useless, but also attracted unwanted column inches from press around the world. Just to add to RSA’s shame, however, the problem was not caused by some well-paid, notorious state-sponsored hacker.
Instead, it was brought about by one of its own employees who made that most basic of security errors – opening a malicious email attachment. After having identified the aforementioned individual within the business and presented the attachment as something pertinent to their role, an attacker was able to access the firm’s network.
Such manipulation is dubbed ‘social engineering’ and amounts to a ‘targeted attack’. But arguably, if the employee had been trained to be wary of such threats in the first place, the incident might never have happened.
What the lesson appears to be here is that employers should both warn staff of such potential threats and also provide them with adequate training in how to handle them. Despite the wealth of useful online information available, however, too many organisations fail to offer their personnel enough education on data privacy and/or how to surf the internet safely in the workplace.
But those that do decide to devise a practical, hands-on programme to teach workers with often limited technical knowledge about how to behave securely in the workplace can reap huge benefits.
The idea is that no organisation can be truly secure without the involvement of its entire workforce, which includes managers who must lead by example. The circle is then closed by introducing suitable processes and technology to underpin and police safe working practices.
Clear communication
Another key consideration for HR in the information security context, however, is to get together with the IT department and write a jargon-free and easy-to-understand staff usage policy. The advantage of this kind of cooperative approach is that, while the IT team will be expert in technology and the regulations surrounding it, HR has the internal communication skills to get the message across to personnel.
In general, usage policies fall into two key categories though -‘hard’ ones that relate to technology and ‘soft’ ones that relate to behavioural issues.
‘Hard’ policies articulate who the scheme affects, why it is in place and when and where it is applicable. They also spell out what the potential risks are, how they might be managed or mitigated and the consequences to both the organisation and the individual if something goes wrong.
‘Soft’ policies, on the other hand, relate to training and awareness and require that staff understand the ‘who, what, why, when and where’ elements. The most effective means of getting the message across here is to explain different elements of the policy in terms of how it relates to people’s personal lives in order to make the theory both understandable and meaningful in practice.
Another important role for HR professionals, meanwhile, is to clearly communicate what enforcement mechanisms and sanctions will be used should workers break the rules – not least because it will be they that will have to deal with the repercussions of any security breach when it occurs.
While the above may all seem like a lot of work, the key thing to bear in mind is that employees are on the information security front line. As a result, providing the right education, training and policies to support your people in doing the right thing could be the secret to preventing your company from being the next one to hit the headlines.
Garry Sidaway is global strategy director at security software and services provider, Integralis.
