Steps to Prevent Negative Economic Impact of Human Error
Human error has a lot to do with increased cybersecurity risks for any organization today, large or small. Even with reliable and established IT policies in place, as long as the firm has a weak principle of IT audit and negligence dealing with small items in the agenda, things that are unexpected can fall into the cracks. Many IT security issues can be prevented with just strong implementation of IT security policies and of course, strong leadership by the CISO (Chief Information Security Officer).
Here are some useful policies that can heavily increase the IT security of companies, lessening the economic and technical impact of any human error:
Forced device encryption policy
Many companies now have learned from past experiences of having a very important device, such as a corporate laptop or smartphone lost in an airport. It is horrible to find-out that lost device has not been encrypted, which means only one thing, it will be accessible for other people to view the contents of it. All ‘Enterprise’ and ‘Professional’ editions of Windows have a built-in encryption software, named Bitlocker. All the while the iOS platform always encrypt its storage using the user-defined passcode, fingerprint or even facial recognition in the later models. In Android, device encryption is available since Ice Cream Sandwich (2010 version), and Marshmallow or later enables mandatory encryption. As more customer data are stored in the employee’s computers and smart devices, the bigger need to safeguard those from accidental deletions, leaks and unauthorized access. As the world has witnessed the implementation of the European Union’s GDPR, the bigger obligations companies face in safeguarding user data, especially if they operate inside an EU-member state or deal with European customers.
BYOD can be implemented, but needs to adhere with the force device encryption policy.
Bring Your Own Device is the newest policy that companies can no longer ignore. With the commoditization of smartphones and tablets, almost everyone is very much attached to their personal devices. IT policy needs to be strict, yet enable BYOD to be used in the office environment. Employee’s productivity increases if they are free to use the device that they are comfortable of using, that means their personal devices. It is dangerous to implement BYOD without encrypting the devices that the employees use, if they deny the appeal to encrypt – then it is fair not to let the device connect to the office wi-fi. Encryption prevents data from being readable even if the device is lost.
Re-education and retraining
Change is absolute, and in an organization, it is very normal to have a 5-year release cycle for the workstations and 10-year refresh cycle for servers. With any change comes the need for end-users to be re-educated and retrained. The same thing applies to IT staff; they need to refresh their knowledge, especially if they are expected to support both old and new systems at the same time.
User Account control policies
This is enforced through the use of Active Directory Domain Controller servers in Windows or Samba servers in Linux. User account control defines the privileges and permission a particular user can perform in a computer and network. It is very common for IT team to restrict the users to only the applications they need, it helps increase security as the apps that are not needed are restricted.
Principle of ownership
Ownership is a very broad topic that beyond the scope of this article, but in the nutshell there should always be a system to report issues. An open door policy in the office environment will also promote the awareness and willingness of users to report issues as they encounter them. It is the promotion of trust between the users and the IT team.