Most information security breaches can’t be blamed solely on the actions of a mysterious hacker. Rather, a company’s employees could often have taken basic steps to protect the company’s information. This human element in computer security is the trickiest to deal with. There are three types of breach based on failures in human security. The first case is where an employee or contractor intentionally causes a security breach. The second case is where employees knew how to secure the information, but decided not to do so because it would take some effort. In the third case, employees simply didn’t know what they needed to do. Luckily, there are steps you can take to dramatically decrease these areas of risk.
Let’s look at the first case – intentional criminal activity. Here are a few examples. An assistant or office manager could use consumer information to commit identity theft or use MLS data to pick homes for break-ins. Similarly, an employee could misuse this confidential information, and could also provide access to members’ financial data. These crimes may not happen every day, but when they are exposed, people wonder why common sense steps were not taken. Why hadn’t a reference, criminal background, or credit check been recently performed on the employee?
The second case: someone who knew how to secure the information but didn’t. A Realtor might know that he shouldn’t share his MLS password, but does anyway. A computer user might know that he should apply the monthly Microsoft security patches, but finds it inconvenient to do so. The third case: someone who doesn’t know what to do. For example, an office’s IT staff might not know how to configure the computer settings or how to adopt a secure network topology. In these cases, you can improve security risks by implementing policies that educate employees in detail on what they are supposed to do to protect information assets and that specify what will happen if the policies are not followed. If implemented properly, policies can also be used to show that an organization did all it could reasonably do to stop a security breach from occurring, possibly limiting its liability.
Let’s consider how a company policy could have solved some of these problems. A ”Password Policy” would have taught the Realtor how to create a strong password and the why and how of protecting it properly. An “Acceptable Use” policy would have helped the computer user understand why he needed to apply the Microsoft security patches ASAP, and would have made it clear that it was his responsibility to do so. The computer guy would have read the ‘Server Security Policy’ and understood his specific responsibilities for securing the computers and the network. That’s why, when Clareity works with its clients to assess and mitigate security risks, the first step is to determine the appropriate set of security policies to be implemented and provide those customized draft policies.
But it’s not enough to have policies written down. You’ve got to make sure someone is responsible for educating staff on the policies on a regular basis. Someone also has to monitor how well people are complying. And someone’s got to make sure the policies are still valid, and, if necessary, amend current ones or draft new ones.
So remember: Information security is an effort that starts at the top. If you implement good information security policies that take the human element into account, your organizational risk of an information security breach goes down significantly — and so does the risk of liability.
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.