Grieg Ross Associates image of business people
Homepage buttonAbout us buttonOur Team buttonour services buttonContact us button
orange panel

Associates Help Desk
Each month we ask one of our associates to provide some useful help and advice. Typically these are taken from real live work examples. This month Wendy Goucher discusses IT security.

"All things are subject to interpretation whichever interpretation prevails at a given time is a function of power and not truth."
Friedrich Nietzsche

Recent Previous Articles

Article 1.
Article 2.
Article 3.

 
Consultant
Name: Wendy Goucher
Title: Senior Associate
Specialisation: information Security

Security Common Sense
Businesses of all sizes and complexities are now being encouraged to invest in information security. This is a very good thing, and very necessary- and not just because Information security professionals have bills to pay. Industry loses millions of pounds worth of equipment and data every year. Security is news and if you are a business with a high profile or reputation it is particularly important that you keep your data safe.

So how does information leave your business?
Mistakes happen. Some security breaches happen because someone makes a mistake. That is not the same as doing something stupid, it is doing something you are not meant to or is not wise. It is not stupid to take your work laptop home, even if that means it gets left there while you are on holiday. However, when an employee of Norwich Union did that, and was subsequently burgled it proved to be a very expensive mistake to make as the total cost was about £8M. Raising security awareness should be ongoing and pervasive, not just putting staff through a day, or half day, presentation once a year – which some will sleep or ‘blackberry’ their way through anyway. For example, every year hundreds, (or thousands after an increase in the security alert level) of electronic devices are left at airports and never claimed. Most of these will be business machines. Why are staff not motivated to try and retrieve their stuff?

Curiosity. Psychologists maintain that curiosity is a vital part of learning and as such is a good thing. On the whole Information Security managers would prefer staff were not curious about the consequence of their action. If I tell you that downloading an unexpected greetings card is a really bad idea as it can contain a virus or other bad things, I would like you to believe me and not do it.

Confusion. Someone once suggested to me that information security policy should be designed for the confused and the drunk. A lot of shaky judgments can be made late in the day or when we are unwell or stressed. A good security policy has to firstly accept that staff do not function at their best 100% of the time, and then direct behaviour accordingly.

It would be lovely to be able to go into a business and hand over beautifully produced and bound information security policy that I have carefully devised to suit their own business operation, and feel that will keep them 100% safe. However, that is only part of the solution. Staff need to be aware not just informed, they need to learn to see and understand risk themselves so that they know when to refer to the policy and be guided by it. In the real world information security policy is only as good as the people who read it, and those who carry it out.
Site Designed and Hosted by Creative Link