Be More Risk Aware
Protecting your organisation from security threats requires both a fully operational security system and an end-to-end process for making staff more aware of security risks
When you take a holistic view of the security of your organisation, you mitigate losses to your organisation as well as show your people that you truly care.
In these turbulent times of Panama Papers, ISIS attacks, cyber heists and bank frauds, threats to your organisation and yourself are an increasing risk. Your organisation may have a security policy that covers most or all bases but the main weakness in any security system is the people who staff it.
IT security from a penetration tester’s perspective
To err is human and all it takes is one momentary lapse or mistake to cause a significant financial and emotional loss to your company and to yourself or your colleagues. How quickly you identify and mitigate security breaches depends on how vigilant your staff are and this depends on how well trained they are.
Any unethical behaviour is identifiable by a behavioural event, a visible occurrence that signifies that something is wrong, already going wrong or about to go wrong.
A warning sign can be verbal such as a threat to damage an organisation or a person or non-verbal such as a change in a behavioural pattern (for example, unauthorised persons loitering in a secure area). Vigilant staff will recognise these warning signs immediately but they do not always report them. To better protect your organisation requires a process that will achieve the goal of making staff at all levels more aware of the risks it faces from threats, insider or outsider.
How motivated an attacker is to breach a security system depends on what they have to gain from doing so and the probability of getting away with it.
Threats to any organisation begin with the motivations of the attackers and these commonly range from financial gain to disgruntled employees, from people seeking notoriety to mental health issues. How motivated an attacker is to breach a security system depends on what they have to gain from doing so and the probability of getting away with it.
Identifying these motivations should help to indicate to aware employees the points in an organisation that are most vulnerable to attack and then to implement greater security measures and vigilance at these points to mitigate the risks.
Identifying and assessing the risks to an organisation of an attack are standard procedures outlined by ISO and are commonly overseen by security and risk management professionals as well as HR.
Creating awareness of identifying, mitigating and reporting unethical events in an organisation first requires educating your staff as to the threats they face and the tools they need to manage the risks that this poses.
However, the people side of security risk management is often neglected. There are proven case studies that show a well-trained, vigilant staff can successfully defend an organisation against insider and outsider attacks, preventing loss to the organisation and even transferring the burden of losses and costs to outside stakeholders such as international agencies. In order for staff to be able to do this effectively they must be well-trained so that they are more aware and knowledgeable about the threats they face and how to report unethical events to their superiors without fear of being admonished.
Creating Awareness Through Clear Messaging
Creating awareness of identifying, mitigating and reporting unethical events in an organisation first requires educating your staff as to the threats they face and the tools they need to manage the risks that this poses. Awareness vehicles such as newsletters and blogs are commonly used and must be endorsed by leaders within an organisation to instill confidence to report behavioural events by staff at all levels.
Clear, simple messaging of security policies, tools and procedures is an easy way to enforce awareness with regular checks by those responsible to ensure that these procedures are understood and owned by staff at all levels within the organisation.
The value add of an end-to-end company security process lies not only in mitigating financial and emotional losses to your organisation but in showing your staff that you really care about protecting your organisation. Doing so will create engagement at all levels throughout your organisation.
If you think this post is interesting, please help spread the word – share this!
Security-camera-1253661 image courtesy Rodrigo David of freeimages.com
#security #risk #ethics