Despite great technological advances in recent years and the appearance on the scene of security devices and environments that are more rapid, more efficient and more sophisticated, it is clear that the main component guaranteeing the security of an organization is still its staff. Staff members remain, without a shadow of a doubt, the most vital links in the traditional security chain.
It is true that we can implement security measures like complex firewalls, intrusion detection systems, fingerprint access systems, mile-long passwords, or all-in-one tools that incorporate antivirus and antimalware programs, antispyware, and the like. However, in the end it is the staff member who manages the information, modifies it, transmits it, deletes it, or processes it.
It is true that we can apply all sorts of policies to ensure that users can access only the information that is strictly necessary for them, that information is securely stored and encrypted when transmitted. However, we cannot stop staff accessing information; indeed, we do not want them to be excluded from it.
This is true, because access to information by employees is a necessity. This brings with it risks, not just or even primarily from employees with bad intentions, The main sources of threats are staff members who through ignorance or lack of awareness adopt risky behaviours, such as visiting a malicious web-site, deactivating antivirus programs, executing a file attached to an e-mail, or connecting an unknown USB to their equipment.
Faced with this, the most obvious choice is to limit radically the means of extracting, sending, copying and deleting information that are available to staff. Among other measures, access to external mail, checks on e-mails sent to third parties, or restrictions on USB ports might be used.
However, experience has shown that a strategy of excessive restrictiveness is ineffective and counterproductive. Too many restrictions bring as an outcome complaints from users about the difficulties put in their way in performing their day-to-day tasks. They also slow down the carrying out of business procedures, with an evident loss of productivity. At the same time, it is not always possible to find an efficient, transparent and legal way to monitor the use of systems like e-mail by staff. The same occurs with many other measures that at first sight seem to be good ideas.
The solution to the problem lies in working to raise the awareness of users with regard to information security. If we can get staff members to be wary of attachments received with e-mails, to keep a constant eye on their lap-tops if they are in an airport, or to use encryption tools on their machines, then a good number of threats will have been avoided. At that point it is possible to apply the measures needed to mitigate the remaining risks, which will indeed come from attackers and users with bad intentions.
To assist businesses to set in train a complete project allowing integrated improvement of the security of your organization, INTECO has designed an awareness-raising program, incorporating numerous graphic materials, interactive elements and detailed programming. The intention of all this is to enhance security from within the very heart of a business: the people working for it.
All information is available only in spanish.