Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
What single change would create the greatest Information Security benefit for organizations?
Which single change (of any kind) would provide the very best benefit to most organizations from an Information Security perspective?
Essentially, what is it that most companies could be doing -- but are not today -- which would greatly improve their security posture?
And most importantly, why?
Best Answer
- Recommended by:
- Andrew Baker
The biggest change you can make to impact Information Security is employee training and education. Employees need to be educated on all of the risks that exist and how large the impact of a compromised password can be. They should be fully educated on how to identify and avoid social engineering and its larger implications. They must be educated on how to create strong passwords, how to remember and save passwords, and why they must not use the same password for all of their other accounts. They need to be aware of the importance of a good info sec policy on their home PC as well as all of their personal accounts as well.
All of the best security practices can easily be undone by one carless employee. Many breaches happen when an employee
or a CARELESS employee. but I agree, those bus-taking morons from downtown are a problem bunch.
Install an anti-malware package against anti-viruses, worms, Trojans and spyware on each end-user system.
I take it that you feel that most organizations aren't running any kind of antimalware tool?
The snarky-but-true answer is "suffer a large data breach". Sadly nothing gives a stronger mandate for change than being shown up in public.
Minds, from the top down, need to be focussed on security. Steve and Glen both make good points, but anything promoted or introduced in terms of security needs backing from the CEO downwards - that ranges from wearing a security pass, adhering to policies, and setting budgets and project priorities.
Top of my wishlist for any organisation would therefore be an executive board who buy into security, and give it equal priority to the normal publicised business goals and aspirations. Everything depends on and is built from that starting point.
To simplify what Steve Heusser said, if the company's president were to hold a 5 minute seminar for all employees, explaining a new requirement to use pass phrases instead of passwords, they would triple the time it takes for a hacker to break into their accounts. Of course, with the growth of web farms and GPU processing, it won't be long before even pass phrases can be cracked quickly through brute-force attacks.
+1 for Steve's answer ... the largest gap right now is with end user behavior, social engineering is still a HUGE ingress vector for the bad guys. As a common contact/colleague of ours has decided, testing end user behavior and then training will be a huge benefit to overall security posture.
I think corporate culture, from the top down, needs to emphasize the need for everyone to gain a better understanding on how breaches occur, and what their individual responsibility is to help secure the environment.
Better knowledge dissemination will lead to better behavior.
The big change that will make a real difference is giving *all* the people in your organization role-appropriate security objectives to be graded on at performance review time. Only by making security everyone's job can there be true accountability for failing to perform one's tasks in a secure manner: it only takes one employee clicking on the wrong email to compromise the whole organization, as the RSA breach demonstrated (not to mention others). Everyone handles some kind of information, and all information needs to have security controls commensurate with its value and classification, so everyone's job involves security: tying one's performance on the security front to compensation is the sure way to drive "awareness" in a way that employees don't forget! The culture of security that this kind of move would create trumps almost any other single action an organization can take, IMHO.
A culture of information security must first take hold at the top echelons of organizarional management; then permeate throughout the organization. The "Bottom up" approach towards security.... while both useful and necessary WILL NOT lead to successful information assurance until the protection of data is viewed to be at least as important by Executive Management and Board Members as Company Financials. As security professionals we all understand that security should not focus only on technology we all understand the importance of the “People, Process, and Technology” triad. But how many of us are actively tracking the maturity levels of these entities within our organizations, and reporting identified deficiencies to senior management? Until we do……., management will feel that because we have security devices/ tools in place… our critical data must be “Secure”! This is never the case.
AWARENESS Right from the top to the very bottom. TOP FIRST. Water always flows down
I have two answers:
1. If you want to reduce the "insider risk" you should start with treating your employees with more dignity.
2. Many enterprises tend to use process as a substitute for competence. It is way too easy to get people to focus on the easy thing but good security people know how to watch out for exceptions
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
Implement a comprehensive risk analysis and risk management plan.