Best Practices in low-tech Information Security measures


Subscribe
Remco Blom
Posted by Remco Blom on Jun 26, 2014

Enterprise Architecture, Governance, Risk & Compliance

Welcome to our blog. This is an archived post, most of our knowledge and advice remain valid but some material or links may be outdated. Click here to see our most recent posts.

Sharing knowledge and good practices is one of the core values of BiZZdesign. We regularly organize and contribute to online and offline seminars, conferences and round tables sessions. Recently there was a very successful seminar on Enterprise Risk and Security Architecture for Dutch financial institutions. After a presentation on “Security is not an IT problem”, the lacking relations between policies and measures was discussed. Then we had a World Café on various topics to learn from each other. Please share your good and worst practices by reacting to this blog.

Thinking about the real low tech measures for most participants of the seminar Enterprise Risk and Security Architecture was hard, having a background in IT. Nonetheless we managed to come up with this set, that still contains (relations to) IT. 

C-level sets the example

Having all sort of technical information security measures is not enough if managers give bad example. Every manager, especially c-level, should understand the information security protocols and work accordingly! If the c-level is willing to give the right example, and really be a front runner in security awareness creation and secure behavior, this is of great help. Only few present in our workshop actually asked their c-level representative to be an active ambassador for the security efforts taken. All agreed that this can be an important low tech security best practice of great value.

Accurate role based authorization

Even though related to IT, but not a technical measure in itself, is the accurate application of role-based authorization. In some organizations people get to wide authority in systems, to make life easier for the employee, managers and the IT department. This is a serious threat for the information security. Having a current set of roles and a current set of employees in your active directory is of the utmost importance for effective information security. It can easily be tested by your auditor or an ethical hacker you hire. 

Free ice-cream

5-I_Scream-Best_practices_in_low-tech_information_Security_measures

Passwords, pen testing and network zoning does not have to go to the bathroom a few times a day. Or have meetings. Or have lunch… Is everybody, always locking their desktop? If not, their machine, and your network is open for all present in the room where this machine stands! A very effective measure can be to take their laptop and send an email to all colleagues in the office, inviting them to have free candy or ice-cream. The careless colleague will be visited and frustrated the whole day, never forgetting to lock his desktop again! 

News feeds on security actualities

The free ice cream example indicates that people just forget, so we need to put attention and keep attention on security topics. Sensational news facts always do well to attract attention. Not just in newspapers and on television, also on your intranet. When a competitor or other large hack has happened, this can be a good reason to bring your messages across to people. A real example will make things come alive and might fear people just enough to rethink their behavior, if only for a short time. 

Not just serious communication

Security is a serious matter, but in communication emotions are really important. A smile or a tear will touch and impact more than just rational messages. Pictures will impact more than just text. Make it fun and exciting! 

Advertise mistakes and learn from them

Organizations are hesitative to spread the threats they are under and breaches they had. Attendees in our session think it is a wise thing to share the mistakes made in your company, explain what went wrong and what you have learned from this. This works way better to learn and educate people, then talking in abstractions and theory. You cannot expect that everything goes according to plan, so better be prepared and learn fast. 

Information security is not about technology alone. Low tech measures and open communication can really make a difference! Start or join a discussion below or use the social buttons to contact us and learn more. 

Download the Visualizing the Business Impact of Technical Cyber Risks slide deck

SUBSCRIBE TO BIZZDESIGN'S BLOG

Join 10.000+ others! Get BiZZdesign's latest articles straight
to your inbox. Enter your email address below:

 

Subscribe to Email Updates

comments powered by Disqus