Your security systems assume
programmed logic and programmed decisions unlike humans. How good may be your
security infrastructure, you don't meet the ends of security unless you educate
your employees about your security policy. Whenever, news breaks open that
reputed company systems are hacked, you would wonder how attackers did that?!
There exists a high probable chance of insider job behind these attacks.
"The attackers gained access to database server!" Now the question is
how did they get the password? How did they get to know about the security
systems in place inside the company? How good are the small &
medium companies when securing information?
Now, think who gave
those passwords. It would be none other than who knows it, your employee. Not
every employee would ends up providing passwords to the attackers. A
disgruntled employee who started envying his boss will provide passwords for
95% of chances. Not only passwords but also the how good the physical security
elements are in place! So how do far could you trust your employees when it
comes to information security? Almost all employees will be discontent at some
point. So it's up to your Information Technology team to decide how to handle
critical business information.
Classified Assets:
A common phenomenon
would be is to classify employees based on the importance of the work.
Example, we can classify then as critical and non-critical assets. Critical
assets are employees who work on classified information. A unique security
guideline including social interactions when it comes to business must be
placed. And liability for non-compliance of guidelines. A Unique password for
each critical asset to interact with critical information. Avoid common
security credentials for all employees. Providing unique security credentials
will help in identifying the mole in the organization.
Firewall, Filters:
Also it is well advised
to place good firewall, email filters policies to avoid data being sniffed out
of your company. It may sound like old-school methods of securing information.
But it is wise to invest on firewall to know the type of traffic and request
which were turned down by your servers. They help in identifying the possible
methods and protocols attackers trying to explore with your information
infrastructure.
When it comes to email
filters, huge cry would be infringement on privacy of your employees. Most of
them envy email filters as it will not spare even personal emails. But you will
not regret placing such filters to identify what kinds of information are sent
to outsiders from employee desk. Consider, an employee emails a spreadsheet
which has crucial information about the business target of present fiscal year.
If no filters were in place, respecting the privacy of the workers, then you
will face a huge public embarrassment. Email filters will block such emails
which are crucial to your business. Even the person states that he will work on
the data from home. The company must take serious decision especially on
"weather the person need that data? And what he is trying to do with that?
Do he really have any useful business with the data?" A rational decision
would save the day for your company future. For information security is all
about being proactive. Once, the information goes out of company LAN then in no
way you would be able to recover it.
Actually placing a
working email filter is not spying technically. Educate your employees about
the email filters and discourage them to use personal emails during work hours.
This would be commendable as those using personal emails have high potential to
infect the company networks with malwares and spywares.
Storage Policies:
Now, the way through
email was blocked. Next best method for grabbing crucial information is through
portable storage devices. Most common is Pen drive and USB sticks. First,
question yourself, who need access to the USB and why do they need them? Not
all employees need access to store information to a USB sticks. So create a
storage policy that prohibits usage of external storage devices. But a general
ban on USB external storage will hurt some business very bad.
So those systems through
which external storage devices could be accessed must have record of people who
use them. The activity log must be collected to analysis for any activity
against the company policies.
Assessments:
Last but not the least,
test the integrity. You must conduct periodic test against your information
infrastructure, especially, on the social interaction front of critical assets.
Hire security experts and create a plan for the attack emulation. Work with
experts and test against your assets and infrastructure. Find the
vulnerabilities before the attackers get head-start. Find out how easy for
outsiders to get information about your company.
Analyze your vulnerabilities
and educate your employees about the importance of the role they play. Assess
them periodically and under pressure. One who keeps up with the change will win
the race. Don't relent and be complacent with information security. Being
in the information era, investing in information security infrastructure worth
every penny.
No comments:
Post a Comment