You are only as secure as your weakest link
Keeping information secure within your organisation rests on the actions of your staff. You can develop strong policies for information security. You can patch, monitor and defend your systems against attacks. You can get certificates and accreditations for all the key standards like; Cyber Essentials, PCI DSS and ISO 27001.
But it can all go wrong with one phone call.
This week our support team took a call from a mid-ranking police officer who thought they had been locked out of one our systems. After confirming their email address they went on to say “I’m not sure why it’s not working, I use the same password for everything”.
Alarm bells started ringing at this point.
They continued, “I’ve tried using that and it didn’t work, do you need to know what the password is?”
Before our support team could answer “No, please don’t tell me, or anyone else for that matter!” they read it out.
They thought nothing of this, but now our support team, and anyone else sitting in the open plan office with our caller, knew; a) our callers name and email address b) that they used the same password for everything and c) what that password was. To compound the matter further the password was highly guessable and not at all complex.
Luckily for this officer our staff take security seriously and wouldn’t do anything with that knowledge. But who else heard? How many other times has that conversation happened? What systems could now be considered at risk due to that compromised information?
Keep in mind this was a police officer we were speaking to, someone from an organisation with a keen interest in maintaining security. On another occasion could you imagine that caller being someone you work with? Could it be you?
Educating staff on the fundamentals of information security is critical. Everyone in your organisation needs to understand why it's important and what they need to do each day to keep information safe.
Here at Alliantist we make sure staff are aware of information security from the moment they start. A key part of our induction process focuses on helping staff understand our policies and what they mean in practice, starting with the basics; Whether that's helping new starters to use a password management system, or someone reminding them to lock their screen when they leave their computer. We use standard frameworks for HR to guide us through repeatable process, like induction, which are then locked down once we are happy staff have understood.
We regularly update our team on information security best practice - our most recent bulletin was about Phishing scams - everything we do is logged and recorded in our ISMS and staff communication areas. So when the time comes for an audit we can demonstrate to the auditor what we’ve done to maintain our accredited status.
If you want to find out more about how we can help you manage your policies and processes for information security and data privacy get in touch….no password required!
Sam - Operations Director at Alliantist
Or visit www.isms.online for more information
Update: While finishing off the final draft of this post our support team got an email from a different user who said “Don’t worry I’m in now, I found some details in my diary with my correct email address and beneath that was another password that worked.”
… at least they didn’t read it out loud!