By: iDiscovery Solutions on 11/20/2020
When you ask people the necessary elements for good information security, they will often talk about technology – firewalls, secure servers, identify and access management, network segmentation and other technical dimensions. However, the most common problems we face relate to things that people do as opposed to any lapse in our technical controls.
One key focus needs to be to ensure that we focus on information security awareness training. The vast majority of issues we face on a day-to-day basis are from:
- Business Email Compromise
- Data breach
The most common cause for virtually all four can be traced back to people. People clicking on bad links or opening suspicious attachments. People using (or reusing) weak passwords. People approving changes to payment destinations and processes on the basis of obviously fraudulent emails or deceitful phone calls.
There are a number of technical solutions that can mitigate each of these risks, such as tools that scan external links or flag attachments coming from an external address. This is not enough. While technology can be used to reduce the likelihood of attacker success, in the end, poor practices can overcome good technology.
So what is the answer? Training and compensating controls. Your people need to understand how bad guys operate and need to understand social engineering. They are being targeted – they just need to understand what that looks like. Train your team, but test them as well. Reward team members that report suspicious activity and use those reports as a basis for training the rest of the team.
Controls may need to be modified in the world of working at home. If employees in the office would normally have a second set of eyes verify something before they proceed with approving a transaction, translate that secondary check into a process that works while working remotely. Teach them that bad guys often seek to have employees skirt the rules in the name of urgency. It is important to ensure that they understand that compliance with internal controls will not result in disciplinary actions.
Finally, review both your training and your control processes and verify that they translate into the new way of working. If you have not already enhanced access control through the use of multi factor authentication, then consider adding that as an additional layer of protection. But above all, remember to keep connected to your employees so that they understand that security is everyone’s job and that we all need to be vigilant even if we are in our sweatpants.
iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.