In recent discussions some people said that humans are not the problem, but rather the lack of good technology to protect them. I beg to differ. I think the human is the weakest link in any security system. In this blog I’ll explain why I think what I think. And, by all means, open up the discussion in the comments on LinkedIn if you agree or if you don’t.
Human Factor & Technology
When you think about security you think of technology, which makes sense because technology is what we are often trying to protect and we use technology to protect ourselves. In my opinion humans are the weakest link because you need technology to protect humans from other humans.
Yes, you can set up, roll out technology to help prevent a lot of human errors, but then we’re still talking about human error. Emphasis on ‘human’.
What you can do as an organization for your human factor security
I’ve created 6 principles that, in my opinion, are the basics to tackle human factor security in any organization that has personnel. These 6 human factor security principles are:
- Job description & authorization levels
- Interview and employment contract
- Culture and behavior
- Personnel regulations and security policy
- Awareness training
I’ll discuss all 6 principles below.
1. Job description & authorization levels
Every organization should have job descriptions for most roles within the organization. This will come in handy when deciding what salary is appropriate, or to know who does what in case of a leave of absence and their tasks have to be taken over by a colleague. When it comes to the Human Factor Security, you’ll want to make sure you have authorization access levels in place so that unauthorized personnel cannot view, edit or delete information and files. Should a person need to take on extra tasks due to a sick leave of a colleague, it could very well be that they require additional authorization to access specific areas in the network. But once the colleague returns to their regular work, the authorization levels must go back to how they were. That makes sense, right? You’d think that, but all too often I see otherwise. When people get demoted, promoted, change positions within the company, it’s up to HR and IT (or whomever is in charge) to change the access levels to where they should be. So, preferably before a position is filled: think about the appropriate access that person in that role should have.
2. Interview and employment contract
When interviewing someone for a non-IT position, there usually doesn’t seem to be a need to ask about the interviewee’s knowledge of security. However, here’s where you have a lot of influence in selecting security aware personnel. You know, the kind that takes responsibility to keep your organization secure and protect your assets. My advice is to find a way to incorporate security awareness questions into the interview and assessments. Just asking them straight forward isn’t good enough. Any well-prepared applicant would know the right answer, but you really want to pick out the people who aren’t averse to change (when new policies and WOW (way of working) methods change that they will adhere to the new rules and follow new processes).
3. Culture and behavior
There are a number of behaviors that a person can show that by itself might not mean much, but in combination should be seen as red flags. A few examples below, but please be aware that even if one person ticks all the boxes, there is still a possibility that they’re not a threat. At least, not yet.
- Doesn’t like authority figures
- Unusual and / or unpredictable behavior
- Asks for access outside the scope of authorization level
- Likes to work late or leave last
- Shows dissatisfied behavior / expresses dissatisfaction
- Suddenly has little or no money
- Shows criminal behavior
- Makes sexual advances
- Likes to gamble and / or asks to borrow money
- Uses a lot of alcohol and / or drugs
Another thing to look for in an organizational culture is fear. Fear to speak up for instance. If there are bullies or the manager/boss is a person who people will try to avoid, are afraid of and so on, you can bet your bottom dollar that personnel is way less likely to notify their boss / manager of a data breach or other security issue. Which is a risk for the whole organization. A manager may be a right royal *bleep* to work with but really the best in his field, but if this results in more risks as mentioned above, than you’ve got to really do a check and balance about how much risk you’re willing to take.
4. Personnel handbook and security policy
The security policy should be signed by all staff members that they’ve read it and will adhere to it. This makes them accountable and could make it easier on your organizations to take appropriate measures should they purposely or repeatedly break the rules. Appropriate measures could mean official warnings in their personnel file and even lay them off.
5. Awareness training
Awareness training on what security, privacy and risk management is, will help your staff to understand the necessity and their role in the business continuity of the organization. Awareness trainings should be given yearly at a minimum but preferably more often. This doesn’t mean you’d have to hire an outsider every time, but you could incorporate drills into the mix. Just like fire drills, where everyone practices what to do and people know where to go etc. A similar thing can be done with regards to security. Create a fake security, have a BCP (Business Continuity Plan) in place and practice using it.
Last but definitely not least, the NDA (Non-Disclosure Agreement). When new the interviewee becomes the employee and NDA must be signed, together with the rest of the paperwork. The HR staff must go over the NDA very clearly with the new employee and then the employee must sign it. This holds them accountable, just like with the security policy. They must be aware of the penalties of not adhering to the NDA. And, when the offboarding process starts, again, regardless of how or why someone is leaving the company, the NDA must be discussed again. Their awareness of penalties must be refreshed. They need to be made aware (again) that certain (or all) parts of the NDA are still valid even after they’ve left and sometimes for an indefinite amount of time. Don’t assume that people will remember. You can have the highest penalties, but you’d still wouldn’t want certain information made public regardless. So, better safe than sorry: prevent it by going over it before the employee starts working and after they leave.
Need help with a Business Continuity Plan?
Need help with a Business Continuity Plan or advice on Human Factor security?
- Do you need help creating and writing your Business Continuity Plan?
- Do you need help assembling a Business Continuity Team?
- Would you like advice on how to implement these 6 principles in your organization?
Would you like more information on Privacy & Risk Management?
Sign up for the 60 Day Privacy & Risk Challenge, starts February 3rd 2020.