resources. sequel talks.

27 March 2012

Better the devil you know

Better the devil you know when it comes to Information Security

Warning! If my previous blog alarmed you, then this one might turn your hair grey. But believe me when I say it’s better the devil you know!

So now you’re aware of the consequences of a security breach, it’s time to look at how they occur in the first place.

Simply put, it’s basic human error. How many times have you held a secure access door open for someone who had their hands full with files and coffee? I imagine many of you are nodding at your computer screens. Well I hate to inform you that you may have fallen victim to one of the oldest tricks in the book.

Social engineers (as they are called in the industry) rely on the fact that most people are polite, helpful…and let’s face it terribly British. Not only do us Brits not want to appear rude or unhelpful but we are also very good at turning a blind eye if we see something suspicious going on and nine times of 10 we will tell ourselves that someone else will deal with it.

So imagine a whole organisation of people behaving like this – you should count yourself lucky that you’ve not had a breach (of course there’s always the possibility you haven’t discovered it yet).

But sometimes there doesn’t even need to be a criminal involved. A high street bank was fined after it was found that employees were putting bin bags full of un-shredded customer information outside their premises for the bin men to pick up.

A big part of the problem is that employees are not aware of the correct procedures and what the consequences of not following them are. Throwing a piece of paper that’s no longer needed in the bin may seem a perfectly normal thing to do but if that piece of paper contained confidential information, it could fall into the wrong hands. And trust me, information thieves will go through your rubbish.

But there is an even bigger problem – security is boring. There I said it. You won’t find a subject to turn your audience off more quickly than security (other than maybe accounting). So even if you do communicate it the chance of people taking any notice is pretty slim.

So my advice is to ask our employees to put themselves in our customers’ shoes. I don’t know about you but I would be furious if I found out that my bank, insurance company or gym had lost my personal details. So why would I want to do that to my customers?