The best policies and controls in the world can’t resolve the weakest link in the chain of IT security breach prevention, detection and mitigation – i.e. ‘people’.
To mitigate against the risk of falling foul of information security civil or criminal regulations – here’s a checklist of responsibilities for employees:
IT and Information Security leaders:
•Update the company information security policy each year, clearly setting out roles, responsibilities, and reporting lines for incidents.
•Educate the entire company workforce viz. periodic awareness programs.
•Retain the risk of information security breaches high on the corporate risk register.
•Ensure employees are aware of both the internal consequences, i.e. the economic and reputational risk to the company, and the potential legal consequences of an inadvertent or deliberate breach of the regulations.
•Train security staff to not only protect the network from external threats – but to also detect internal breaches of policy or regulations.
•Create 2 separate information security policies, i.e. a technical policy for your IT, Compliance and Information Management teams; and a general policy for all employees.
•Invest in information security tools – to scan all digital information repositories on an ongoing basis for potential breaches.
•It’s in the boards’ interest to understand the information security risks to the organisation, as a breach can affect not only the reputation of a company, but also the bottom-line.
•Information security risks need to be tabled at board level, and if the CIO isn’t on the board, a non-exec director needs sufficient knowledge to understand the risk exposure the company is facing.
•The board approves the overall spend of the company, and the audit committee needs to be asking the question “are we investing enough in information security, to protect our company’s reputation and bottom-line”?
•The CIO/CISO needs your help to manage IT security risks, i.e. assistance to ensure the IT security policy is cascaded down reporting lines, and adopted.
•Senior managers, who have a direct line of sight to the operational risks faced by the company and the potential impact of these risks, should be champions of IT security – leading by example and ensuring good-practice is adopted across designated business units.
Humans are the weakest link in the IT security chain. To reduce the risk of breaching your company’s IT Security policy or, worse still, the law:
•Familiarize yourself with your company’s IT security and compliance policies
•Familiarize yourself with your country’s civil or criminal information security regulations.
•Remain alert and aware, of information security as a joint responsibility, rather than the responsibility of your IT department alone.
•Stay safe, stay ethical, and stay compliant.