Home

Support Portal

Management Team

Our History

Employment

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Information Security Consulting

Security Integration

Managed Services

Licensing and Maintenance

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Partner News

Past events

Security Capabilities

Approach

Security Strategy, Framework & Policy

Risk Assessment

Control Implementation

Security Education

Maintenance, Monitoring and Support

Services

Information Security Consulting

Security Integration

Managed Services

Licensing and Maintenance

Solutions

Security Information and Event Management

Identity and Access Management

Remote Access

Data Leakage Prevention

Threat Management and Mitigation

Security News

eNEWSLETTER SIGNUP
Sign up here to receive our quarterly newsletter.

REGISTER FOR EVENTS
See which security events are happening in your area.

SUPPORT PORTAL
Log a support ticket or login to view an existing support case.

Your People - security weakness or security defence?

In every organisation, regardless of security technology in place, there are still the risks associated with the people who interact with your information and IT systems. Research released late 2009 from IDC¹ stated the growing number of incidents in which employees inadvertently violated corporate policy had become the most serious "insider threat." In fact, the research found that organisations experienced an average of 14.4 incidents of unintentional data loss through employee negligence throughout the 2009 year.

*Average incidents in 2009 per organisation surveyed in IDC report 'Insider Risk Management: A Framework Approach to Internal Security.'

The recent incident at Virgin Blue where workers were sacked due to inappropriate sharing of explicit video, is an example of employees not adhering to security and corporate policies, and not being educated around the security issues and consequences of their actions. The sacked workers claim that the inappropriate content sharing was a part of the Virgin culture, and will defend their dismissal in court.

The latest report from Pricewaterhouse Coopers 'Protecting your Business'² says that employees should be empowered and educated about technology risks in order to become the first line of defence against security threats. The report accuses that organisations are too complacent about security, and assume that they will not be affected by a security breach, and this attitude then filters down to workers, who believe that security is "someone else's problem".

The recommendation from the PwC report is that companies should 'make staff more aware of security risks, and educate them on how to defend against attacks.'

"The goal is that all those working for an organisation are alert to the risks, will want to act to protect information and will be actively supported in doing so," said Craig Lunnon, senior manager of HR services at PwC.

"As the first line of defence, security-aware employees are often best placed to identify a potential breach or weak link. Equally, they can prevent and reduce the impact of incidents when they do occur."

Loop Technology has always maintained the approach that security educated employees are an essential component in the fight against security threats, and that security awareness should be built in to an organisations risk management framework. The information security industry is following in this direction, and we saw this theme communicated at AusCERT 2010 on the Gold Coast and the RSA conference in San Francisco, where a lot of the presentations focused on the people aspect of information security.

Many of our clients are also realising the benefit of Information Security Awareness programs and utilising these to substantially improve their organisations security posture. In terms of 'bang for buck', this approach is becoming more preferable than investing in point product solutions, which can complicate security infrastructure and in some cases cause more problems than it solves. Security awareness is also a requirement under several standards and guidelines such as ISO 27001, PCI-DSS and APRA PPG234. Craig Lunnon of PwC sums it up by saying "only by assessing employee behaviour, and improving their security awareness, will enterprises be able to invest in effective technology."

It's actually quite simple. Those organisations that successfully instill a security conscious culture in their organisation and regularly educate their employees about security will see the benefit of their employees actually defend against security risks, instead of cause them.

Through the communication of information security related controls, our clients have noted recognised benefits through:
•The reduction in the realisation of risks
•Reduced information security incidents
•Reduced data leakage incidents
•Reduced occurrences of non-compliance to policies
•Reduction in costs of management of and recovery from incidents.
•Reduced likelihood of court action from employees for unfair dismissal should they violate policy.

Loop Technology has successfully created and implemented tailored Information Security Awareness and Education programs for our clients. We work with your organisation to plan the program, agree on how the program is to be delivered and create all program materials. To speak to a consultant about your education requirements please contact us here.

¹IDC Whitepaper, 'Insider Risk Management: A Framework Approach to Internal Security', August 2009.
²Pricewaterhouse Coopers, 'Protecting your Business', June 2010.