Tuesday, 30 October 2018

Information Security is Everyone's Business

Information Security Awareness Training: Here's what should be covered:
Provide employees with easy-to-use 40-minute online training on information security awareness, allowing them to connect and learn best practices for information security.
Provide the best practice course content of your compliance requirements.
Teach employees, in simple, non-technical language, how and why hackers hack.
Give employees the best methods to protect your systems and the sensitive information you process.
Explain to employees the responsibilities of protecting your company's information and identifying and reporting suspicious activity.

To provide this information effectively and efficiently, an information security risk assessment must be performed.

  • A good threat and risk assessment should answer the following questions:
  • What should I protect and where is it located?
  • What is the value of this information for the company?
  • What other vulnerabilities are associated with systems processing or storing this information?
  • What are the security threats for systems and the likelihood of their occurrence?
  • What would be the damage to the company if this information was compromised?
  • What should be done to minimize and manage risks?

Answering the questions above is the first and most crucial step in managing information security risks. It identifies exactly what your business needs to protect and where it is located and why you need to protect it in terms of the real costs that everyone should understand.

The Information Commissioner's Office (ICO) fined £ 90,000 to a London-based marketing firm for making unwelcome calls to vulnerable victims. In many cases, calls led seniors to pay for boiler insurance they did not need.

Clearly, explain clearly to each employee of the company what their responsibilities are with regard to the data they have on a daily basis, explain how to protect them, explain why we need to protect them and underline the consequences for the company of not do it.

Most untrained employees would probably think that data protection has little or nothing to do with them; However, if a data breach occurs, the company may lose customers when the news reaches the press, which may lead to layoffs due to the loss of business. All of the company's employees, from the cleaning staff to the general manager, take responsibility for it.

Who should give the training?

This subject is not something that a training company can provide properly. You really have to work with real security experts, highly qualified and experienced companies.
Unfortunately, in the information technology sector, many people and companies have come forward as IT security gurus, and most of them are scary for those who are scared. . They want to sell a specific service, no matter if you need it or not.

However, there are highly qualified professional companies that are really useful.
In 2011, I was lucky enough to be at eCrimes Wales when Richard Hollis from the RISC factory spoke. Her presentation spoke to the public in a way that few other people did that day. This established in the mind of this author while I was in the UK for questions about data security. I managed to exchange a few words with him during the break and he really helped me.

Why do I value Rich so high? Well, his experience is interesting to say the least, because his NSA experience means he knows what he's doing and has more knowledge in this area than the average Joe. It also means that where other computer security experts see a problem, Rich sees a much larger picture.
Of course, many other companies offer similar services and in the current economic climate, it is good to shop if you need it.

To start

First, watch and review the video (link below) and find it on YouTube, watch it too. During the video, take notes and plan these steps, answer key questions about your business, data, and security.
Then, contact your IT department if you have one at your IT support company and see if it has a cost-effective idea that you can implement without putting too much on your IT budget.
You can start protecting your company's data from external sources for a few hundred pounds by installing the appropriate type of firewall, with cloud-based updates 24/7.

Quality Anti-Virus with built-in Anti-Malware also does not have to cost a fortune to the company, but again, take advice. Many of these products slow down the computer system so much that they have a negative impact on performance. One of the most famous of them (starting with N) is often sold in high street electronics, stationery and consumer goods stores as "the best"; In fact, it is the best profit margin and not the best product. It slows down the system and requires special software to completely remove it!

Store sensitive data in an encrypted zone of a RAID storage drive system with restricted access control. A NAS drive is an effective and inexpensive way to achieve this goal.
Do not store sensitive data on cloud-based systems such as Dropbox, that's for sure it's inexpensive and easy to use. Therefore, if you do not transmit critical data such as graphics, logos and promotional material; awesome! If you pass your accounts to your accountant, a new product schema to a machine tool company, etc., use something more secure.

Nothing personal against Dropbox and similar products, but like Microsoft OneDrive as it is now, both have been hacked in the past. Although security has been significantly improved, you should not take chances.

Finally, take advice from real experts when you have doubts. People like Richard Hollis have dedicated their careers to safety. While parking in front of a company for a meeting, they have already automatically analyzed several security considerations. When they cross the front door, they perform a dozen additional calculations and risk assessments. All before you even sit down and talk to you about your concerns.

Layers: Security is about taking a layered approach. Think of it like an onion. Here is a physical example of a company I worked for many years ago.
When you entered the building, you could not pass the reception unless they were buzzing through the security barriers at the reception. They were magnetic cards checked for the staff.
The staff's magnetic cards allowed them access only to the areas they were allowed to enter; For example, only IT support staff and some developers have access to the server room. Note that unlike some companies, the cleaner did not have access to the server room or the developer work area.

Have the idea?

Electrically, all critical systems were duplicated with an independent backup power from a generator powered by a backup power system.
Firewalls separated the different local networks and the inside of the outside of society. Each service was running on its own local network with connections between local networks only for the people who needed it.

You can continue to benefit from much lower levels of protection, such as making sure all USB drives are encrypted and encrypted
 so that they can only be used to transfer data between company computers.
These types of security measures are actually very simple to achieve, they are not rockets, they must not cost you an absolute fortune.

Remember - Plan, perform, check, act - repeat if necessary. But always ask professionals for advice. Believe me, the kid next door who builds his own computers and sells them does not know enough about the threats to your business.
If you are in the UK, consider implementing Cyber Essentials, the government's program to bring businesses to a minimum standard for protecting data. It is worth the trouble to watch; During the recent NHS attack, none of the NHS Trusts that completed and certified the standard Cyber Essentials institutions were penetrated.


3 comments:

  1. I would like to thanks for sharing this article here. It was awesome article to read. Complete rich content and fully informative. I am impressed by the details that you have shared in this post and It reveals how nicely you understand this subject. fire extinguishers.

    ReplyDelete
  2. I read your post and got it quite informative. I couldn't find any knowledge on this matter prior to. Great job for publishing such a nice article. I would like to thanks for sharing this article here. Best Xfinity Internet In Florida.

    ReplyDelete
  3. I admire this article for the well-researched content and excellent wording. The article you have shared here is very informative and the points you have mentioned are very helpful. Your way of writing and making things clear is very impressive. Thank you so much. Fire Smoke Detector.

    ReplyDelete