Are your employees your biggest security concern?In the year 2005, there were over 53 million individuals affected by security breaches wherein their personal information was compromised. The ChoicePoint incident was considered one of the first highly publicized events where notification to the individuals affected was made. As the year closed, more than half the Statesâ€™ Legislatures considered or approved bills to protect citizensâ€™ personal information. Congress considered several bills that would make notification of a security breach mandatory nationwide.
The cause of security breaches varies widely from compromised passwords, to stolen laptops, to lost backup tapes, dishonest insiders, online exposure, hackers, and even inadvertent disclosures such as sending out an email containing social security numbers to a mass mailing list. The onus of protecting personal information sits squarely on the data ownerâ€™s head. What can financial institutions do to make sure that employees do not participate either willingly or unwillingly in data disclosure?
According to the SANS Institute, the mistakes people make are broken down into roughly three categories:
1. The mistakes End User make
2. The mistakes Executive Staff make
3. The mistakes Information Technology people make
While the SANS list makes End Users responsible for keeping things like anti-virus up to date and operating systems patched, these functions can be and should be automated by IT staff. In light of the types of security breaches that occurred in 2005, it seems that End Users should be ever vigilant about the following:
â€¢ Do not share your password or account with anyone.
â€¢ Use a strong password, over 8 characters long, and with a mix of special characters. â€¢ Change your password every thirty to sixty days.
â€¢ Do not write your password down on a â€œsticky noteâ€ and hide it under your keyboard or anywhere where it can be easily found.
â€¢ If you are authorized to travel with a laptop, treat it like your wallet, not your luggage.
Executive staff, according to the SANS article, have a much bigger responsibility. Many of the breaches that are known to have occurred in 2005 were the result of dishonest insiders, hackers, or poor security procedures (i.e., losing a backup tape). Hiring the right people to do the job is critical, background investigations are a must, and making sure that the people who are responsible for security are properly trained and appropriately tasked. Security should be a top down initiative and one of the highest corporate priorities. Security is not just a one time event (i.e., a firewall), but a multi-level and multi-layered approach to protecting not only the network, but the systems, data, and access to such.
IT people are typically held responsible for things over which they have no control. For instance, if a data encryption policy is put in place, IT must have the resources and funds to encrypt data at rest and in transit. Encryption is a big deal in the world of networking and may require revamping the network in terms of encryption capable hardware and bandwidth needs. Perhaps the biggest problem IT faces is having the time to harden systems prior to putting them into production. It is managementâ€™s responsibility to develop and mandate security policies, so that secure processes and procedures must be in place before systems â€œgo liveâ€, as well as make sure that IT is properly staffed.
A comprehensive Security Awareness program would go a long way towards educating employees at every level. The breakdown of End User, Executive Staff, and Information Technology people is a good way to start. End users need to understand that clicking on that link he or she received in an email may install a backdoor Trojan that includes a keylogger (a hidden application that records keystrokes of the user and sends that information to a hacker via the network thereby capturing login and password). Executives need to understand that Information Security must be a top priority and budget accordingly. IT people need to understand that every time they rush to meet a deadline and put an unsecured system into production, they are jeopardizing the security and safety of the financial institution.
Marcia J. Wilson is an Information Security Professional and a freelance writer. Her expertise includes network security assessments, information security policy and procedure development, business continuity and disaster recovery planning as well as security awareness training for small and medium sized companies.