> The Human dimension human aspect of information security
Nov 01, 2014
> The Human
dimension
human aspect of information security
Guess You’ll all agree Guess You’ll all agree with me that….
bad information security
means
bad company securitybad company security
lost credibility
we must be sure that
we protect our data, our we protect our data, our
commercial secrets, our assets
and our business transactions
YOU DO EVERYTHING TO YOU DO EVERYTHING TO YOU DO EVERYTHING TO YOU DO EVERYTHING TO MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN
FOR SUREFOR SUREFOR SUREFOR SURE
but…
EMPLOYEES WORK WITH COMPANY DATA,
COMPANY SYSTEMS, THEY ARE IN TOUCH WITH
CLIENTS, SERVICES AND PRODUCTS.
THEY NEED TO UNDERSTAND THE BASIC
PRINCIPLES OF INFORMATION SECURITY.
HUMAN ERROR IS THE
42%
Fact:
CAUSE OF 42% OF ALL
SECURITY BREACHES
ISC2 White Paper : Securing the Organizations: Creating A
Partnership Between HR and Information Security
50% of
respondents think that
their employees had
Information security is one of
the biggest challenges a business faces today.
55% of
companies used
Ref: Checkpoint Technologies&The Ponemon Institute Survey 2011 >>
2,400 IT security staff across the world
their employees had
little or even no
awareness of data
protection issues or
corporate security policy.
companies used
over 7 different
vendors to keep
their network
secure.
When does “an employee”When does “an employee”?becomes a RISK
123456
Password
?Do you know what these are
Password
iloveu
I mean…
The gap between you guys
And your average And your average employee
is
HUGE
We don’t know
Fact:
We don’t know As much as you do
, ,Paper pen letter
typewriter
computer
,internet e-mail
2.0,Web social media
Virtual communities
People move…
Both in real and virtual world…
!And they create risk
With or without knowing it
87,5% of large businesses have a security policy in place.
67% of the companies that give a high priority to security also had a security policy.
A big majority of companies take steps to raise awareness among employees.
More than 50% allow staff to access their systems remotely.
The proportion of businesses restricting internet access dropped by 50%.
A picture…
The proportion of businesses restricting internet access dropped by 50%.
Now only fewer than 10% gave no access to the internet.
Employees are increasingly being targeted by "social engineering" attacks.
Businesses are becoming more concerned about what was being said about them on
social networking sites.
More than 80% of large companies blocked access to inappropriate websites.
86% logged and monitored staff access to the internet.
Research by PWC UK , 2010
more exposure,
more action,
more knowhow sharing,
more interactionmore interaction
The Return is big but The Return is big but The Return is big but The Return is big but the Risk is big toothe Risk is big toothe Risk is big toothe Risk is big too
your employees
can fast become
weakestthe weakest link in your information
security
changing employee behaviour
is the key
to improving information security.
The big howThe big how
EMAIL SECURITY
INTERNET SECURITY
Offer them a clear framework
INTERNET SECURITY
DATA SECURITY
ASSETS SECURITY
?Do you have policies
?Why
Customize the access according to the skills and needs of the employees
customize the risk
But standardize your policies
The worst way to communicate a policy iscommunicate a policy isPublishing it
, , :Educate educate educate
have your employees build have your employees build the “awareness” muscle
Give people good habits
Communicate your best practices
Create an awareness :culture :culture
let it be a dialogue
Make it formal: Make it formal:
it is serious
,Make it simple
,make it fun ,make it fun
make it participative
Make it a management issuemanagement issue
Be fully fully fully fully proactiveBe fully fully fully fully proactive
Tell them
=Personal = professional
Prohibiting LimitingBanningis not your key to successis not your key to success
trust
WIIFM?
answer
WIIFM?
?Does hr talk about these
I am afraid not…
& *Hr it partnership
I am afraid not…
Legal base remains unclear too…
You have to be security and policy mentor
Your employees have to be security and policy literatesecurity and policy literate
Your company has to be security and policy fluent
E-mail:
LinkedIn:
http://tr.linkedin.com/in/pinarakkaya
get connected
http://tr.linkedin.com/in/pinarakkaya
Twitter: http://twitter.com/PINARAKKAYA
http://twitter.com/lifesocialmedia
http://tr.linkedin.com/groups/hrleadersturkey