No this blog is not about diving or any other type of sports where one might get wet. Wet Ware is a rather unattractive name some security professionals give to the user of a computer system. It is claimed that it is impossible to ‘patch’ Wet Ware which results in it being the most vulnerable part of most systems.
In my last blog, I suggested that not all cyber (I am growing to dislike this term) incidents can be prevented by technology. There had been a recent incident at Lincoln County Council, which had been caused by a user opening a bad email and clicking the link it contained. Patching our wet ware (last reference I promise) is actually becoming more important than ever. It is not impossible, but it is not a small task.
In the PWC Information Security Breaches Survey 2015 It has been reported that 50% of the worst security breaches in the year were caused by inadvertent human error. The numbers are rising as well. There was a 58% increase in large companies and 31% increase in small companies of breaches as a result of human error.
Dealing with this is multifaceted:
- The top of the organisation has to be seen to ‘do the right thing’. If top management are ‘gun ho’ handling company information, then you can be sure the rest of the organisation will be.
- Policies and procedures. I know these are considered a pain. But they don’t have to be, they can be short and only cover what is needed. Policies and procedures are important they give employees a reference point. I have very different standards in the management of my information to that of some of my customers, but their policies give me a point of reference to how I should behave. Without that I may do my own thing. What policies should a business consider? That depends largely on the risks they feel they are mitigating but as a minimum the following could be considered:
- Document control. Where and how is information stored, who can access the stores? How long do you retain the information for your records?
- Protective marking of information. Ask yourself a question: If I rang your company, spoke to a secretary, sounded knowledgeable and asked for some information would they know if I was allowed to see it? A simple marking systems which indicates the level of sensitivity of the information would provide that guidance. So if I rang and ask to see a document that was marked Company Eyes Only, they would instantly know that they could not send it outside of the organisation.
- Joiners, Movers and Leavers actions. What do you do with system access rights on each of these occasions?
- Use of removable media like USB sticks, CDs or Cloud transfer services such as OneDrive, DropBox etc. Once data leaves your system and enters one of these environments, what control do you have?
- Bring you own device. What devices of their own are you going to allow you employees to use for work related activity? What are their responsibilities if they do use their own technology? What are you going to do to prevent loss of data on that device etc.
- Training. You have your policies and procedures and now you have to inform people what they are how to use them and why they are relevant. In addition to training on the policies, I would also include training on responsible business use of the internet and especially social networking.
In the bullet points above, I have skimmed the surface of what organisations should consider to ensure their employees don’t become the weakest link in the Information Security Chain. Combine this with general development and it will not become too onerous a task. Certainly a lot less hassle than a breach, which the PWC report says now costs on average £40,000 – £250,000 for small companies and between £800,000 and £2.1m. Ouch!