PINAR AKKAYA - The Human Dimension

> The Human

dimension

human aspect of information security

Guess You’ll all agree Guess You’ll all agree with me that….

bad information security

means

bad company securitybad company security

lost credibility

we must be sure that

we protect our data, our we protect our data, our

commercial secrets, our assets

and our business transactions

YOU DO EVERYTHING TO YOU DO EVERYTHING TO YOU DO EVERYTHING TO YOU DO EVERYTHING TO MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN MAKE THIS HAPPEN

FOR SUREFOR SUREFOR SUREFOR SURE

but…

EMPLOYEES WORK WITH COMPANY DATA,

COMPANY SYSTEMS, THEY ARE IN TOUCH WITH

CLIENTS, SERVICES AND PRODUCTS.

THEY NEED TO UNDERSTAND THE BASIC

PRINCIPLES OF INFORMATION SECURITY.

HUMAN ERROR IS THE

42%

Fact:

CAUSE OF 42% OF ALL

SECURITY BREACHES

ISC2 White Paper : Securing the Organizations: Creating A

Partnership Between HR and Information Security

50% of

respondents think that

their employees had

Information security is one of

the biggest challenges a business faces today.

55% of

companies used

Ref: Checkpoint Technologies&The Ponemon Institute Survey 2011 >>

2,400 IT security staff across the world

their employees had

little or even no

awareness of data

protection issues or

corporate security policy.

companies used

over 7 different

vendors to keep

their network

secure.

When does “an employee”When does “an employee”?becomes a RISK

123456

Password

?Do you know what these are

Password

iloveu

I mean…

The gap between you guys

And your average And your average employee

is

HUGE

We don’t know

Fact:

We don’t know As much as you do

, ,Paper pen letter

typewriter

computer

,internet e-mail

2.0,Web social media

Virtual communities

People move…

Both in real and virtual world…

!And they create risk

With or without knowing it

87,5% of large businesses have a security policy in place.

67% of the companies that give a high priority to security also had a security policy.

A big majority of companies take steps to raise awareness among employees.

More than 50% allow staff to access their systems remotely.

The proportion of businesses restricting internet access dropped by 50%.

A picture…

The proportion of businesses restricting internet access dropped by 50%.

Now only fewer than 10% gave no access to the internet.

Employees are increasingly being targeted by "social engineering" attacks.

Businesses are becoming more concerned about what was being said about them on

social networking sites.

More than 80% of large companies blocked access to inappropriate websites.

86% logged and monitored staff access to the internet.

Research by PWC UK , 2010

more exposure,

more action,

more knowhow sharing,

more interactionmore interaction

The Return is big but The Return is big but The Return is big but The Return is big but the Risk is big toothe Risk is big toothe Risk is big toothe Risk is big too

your employees

can fast become

weakestthe weakest link in your information

security

changing employee behaviour

is the key

to improving information security.

The big howThe big how

EMAIL SECURITY

INTERNET SECURITY

Offer them a clear framework

INTERNET SECURITY

DATA SECURITY

ASSETS SECURITY

?Do you have policies

?Why

Customize the access according to the skills and needs of the employees

customize the risk

But standardize your policies

The worst way to communicate a policy iscommunicate a policy isPublishing it

, , :Educate educate educate

have your employees build have your employees build the “awareness” muscle

Give people good habits

Communicate your best practices

Create an awareness :culture :culture

let it be a dialogue

Make it formal: Make it formal:

it is serious

,Make it simple

,make it fun ,make it fun

make it participative

Make it a management issuemanagement issue

Be fully fully fully fully proactiveBe fully fully fully fully proactive

Tell them

=Personal = professional

Prohibiting LimitingBanningis not your key to successis not your key to success

trust

WIIFM?

answer

WIIFM?

?Does hr talk about these

I am afraid not…

& *Hr it partnership

I am afraid not…

Legal base remains unclear too…

You have to be security and policy mentor

Your employees have to be security and policy literatesecurity and policy literate

Your company has to be security and policy fluent

E-mail:

pinar.akkaya.pa@gmail.com

LinkedIn:

http://tr.linkedin.com/in/pinarakkaya

get connected

http://tr.linkedin.com/in/pinarakkaya

Twitter: http://twitter.com/PINARAKKAYA

http://twitter.com/lifesocialmedia

http://tr.linkedin.com/groups/hrleadersturkey