The human element in information protection


Social engineers are experts at exploiting behavioural cracks in otherwise sound policy and procedures for information protection. And their methods are not limited to computer hacking, phishing and other digital tactics. They know easier ways in.

For example, how many times have you seen company employees courteously hold open a door, allowing strangers into controlled spaces? Being polite trumps a company’s clear requirement to authenticate every person entering internal office spaces.

Despite ever-accelerating technological progress, the weakest link in information protection practices remains human behaviour. A robust policy and control framework for information protection isn’t worth much if personnel across the organisational structure maintain excessive discretion, have low risk awareness and engage in behaviour that can jeopardize and defeat protection controls.

Companies that seriously want to protect their proprietary information must ensure that protection measures on the computer systems and networks are matched by a corporate culture that encourages information control awareness and enforces consistent compliance with information security practices.

What exactly are you protecting? And what are you missing?

Information is available everywhere, each in its corresponding domain — physical, verbal and digital. Today’s ubiquitous networks that interconnect most operational functions along with Internet-based platforms make it tempting to consign “information” exclusively to the digital domain. Most discussions about information security automatically presume this association.

This mindset has resulted in physical and verbal information being increasingly ignored and routinely neglected by information protection professionals and information owners. The time-honoured WWII maxim “Loose lips sink ships” has been replaced with the mantra “Change your password every two weeks.” People may incessantly text message each other, but they still like to talk, too, and may well routinely over-disclose sensitive physical and verbal information. These days people also tend to indiscriminately publish both personal and also work-related information online without necessarily thinking twice about it.

Software is easier to buy than common sense

Why is so much more attention paid to the digital domain compared to the physical and verbal? Perhaps because it is so much easier to protect digitally stored information. Robust digital information protection tools are abundantly available, and professional education in network security is well established. Companies are happy to earmark funds to protect their secrets, and software is easier to buy than common sense.

And yet, nearly every week, information compromise incidents hit the headlines. The victim organizations then have difficult, heated, internal discussions about how these incidents occurred and what the root causes were. The answers won’t always be found only on their IT networks… Click HERE to find out more about this article