Cyber Security
The human element in information protection By Ilya Umanskly and Leon Hill
32 | Australian Security Magazine
S
ocial engineers are experts at exploiting behavioral cracks in otherwise sound policy and procedures for information protection. And their methods are not limited to computer hacking, phishing and other digital tactics. They know easier ways in. For example, how many times have you seen company employees courteously hold open a door, allowing strangers into controlled spaces? Being polite trumps a company’s clear requirement to authenticate every person entering internal office spaces. Despite ever-accelerating technological progress, the weakest link in information protection practices remains human behavior. A robust policy and control framework for information protection isn’t worth much if personnel across the organisational structure maintain excessive discretion, have low risk awareness and engage in behavior that can jeopardize and defeat protection controls. Companies that seriously want to protect their proprietary information must ensure that protection measures on the computer systems and networks are matched by a corporate culture that encourages information
control awareness and enforces consistent compliance with information security practices. What exactly are you protecting? And what are you missing? Information is available everywhere, each in its corresponding domain — physical, verbal and digital. Today’s ubiquitous networks that interconnect most operational functions along with Internet-based platforms make it tempting to consign “information” exclusively to the digital domain. Most discussions about information security automatically presume this association. This mindset has resulted in physical and verbal information being increasingly ignored and routinely neglected by information protection professionals and information owners. The time-honoured WWII maxim “Loose lips sink ships” has been replaced with the mantra “Change your password every two weeks.” People may incessantly text message each other, but they still like to talk, too, and may well routinely over-disclose sensitive physical