ISMS: The Missing Link

Whenever any information security system is being implemented or improved there are three basic tenets to take into account:

  • People
  • Technology
  • Processes

 You can spend all the money you like on technology or tighten the processes up to the nth degree, but unless people are considered the security will not be watertight.

It is people who make or break security systems. Some will cause issues due to making mistakes, others may be tempted through some nefarious activity, or because they are disgruntled for some reason. A classic case of this is the case with T-Mobile’s employees, who unlawfully sold customers’ personal data to third parties. Most employees, however, compromise security through oversights.

Holding open doors for people we don’t know, letting them have access to buildings, choosing easily guessed passwords, leaving confidential papers on desks and printers, not keeping laptop screens away from prying eyes, discussing sensitive items on a mobile in public places. Who hasn’t heard someone on a train ordering stuff using a mobile where they give their name, address, card number and CVV code?

 If people can do that with their sensitive personal data, what might they be doing inadvertently with your data?

Getting people on board is vital for a comprehensive security system. Yes, you do have to have the right processes for them to follow and the technology has to be secure in itself. There are things you can do to inhibit people’s behaviour or to prevent breaches. The sort of technology might be encryption techniques for mobile devices (data sticks, laptops, mobile phones). It might be some form of endpoint protection. All of these help, but they do not in themselves afford full security.

So, how to bring people on board? Mostly, it is about communication. Share with your staff what you want to achieve, ask them to help you. Above all, provide them with training on what you consider acceptable and unacceptable behaviour. In particular, raise their awareness of how they can improve or compromise security. Point out what bad things can happen and what good practices they can employ.

This type of training can be dull, some of you will think. However, you can make it entertaining or even interactive – that is always a plus. You might consider introducing an e-learning course to your staff, or installing animated graphic reminders on their computers, or hanging information security awareness posters on the wall, or presenting them with a book on the subject. Whichever of these options you chose (why not all of them?), one is sure, you won’t be wrong.