Services
We provide a wide variety of high- value services to customers in multiple sectors. Drop us a line at info@headfry.com for more details.
One component is the provision of information security education and training to company directors, senior executives, employees, and users. We place a particular emphasis on preserving brand value- for many companies in the knowledge economy, the most valuable asset on their books.
And on crisis management. Unfortunately, it is merely pragmatic to assume that bad things will happen to you and your organisation, irrespective of what you do- but it is critical to plan accordingly. Many a potential disaster has been avoided with careful planning.
Why education?
There is a broad consensus building in the security space, that many security products will, over time, become commodities.
Does that mean that our security woes will be over? Alas, no.
The issues that will remain will revolve around people and business processes. People will exploit the latter, and other people the former.
Despite much lip service about the value of employees, and the knowledge that they can be a bane as well as a blessing, surveys repeatedly show that companies ignore people issues.
The 2004 Ernst & Young global Information Security Survey found that “organizations remain focused
on external threats such as viruses, while internal threats are consistently under-emphasized. Companies
will readily commit to technology purchases such as firewalls and virus protection, but are hesitant to
assign priority to human capital”.
read more
It also stated that lack of security education and training is a weak link for most companies, from
multinationals to the small business. Indeed, a wide variety of IT security surveys routinely find that
there is a disproportionate emphasis on technology and high tech tools, and not nearly enough spent on people
and processes.
Employees at all levels need to feel invested in the process of keeping the companies assets safe, and in
turn ensuring their own sensitive and personal data is protected. They also need to be made aware that the
consequences of exposing critical data will be severe. If this message is not circulated, there is every
chance that some employees will turn on you, with highly adverse consequences.
“It’s only money”. Right? But it is your money, or that of your stockholders.
|
Don’t play Russian roulette with the crown jewels of your business. Invest a little to level the playing field and stay safe.
But a heavy hand is no answer either. Don't turn Robin Hood into the Sheriff of Nottingham. People can be a very devious lot. And we tend to hold grudges for a long time.
Resources
If you need convincing, read two excellent studies from the US Secret Service and the US-CERT - based at Carnegie Mellon University in Pittsburgh.
Secret Service profilers and psychologists examined the cases of a number of high profile IT security/fraud incidents carried out by insiders- to try to determine motivation; the type of people carrying out such attacks, etc. The results are often surprising.
Insider Threat Study:
Illicit Cyber Activity
in the
Banking and Finance Sector
Insider Threat Study:
Computer System Sabotage in
Critical Infrastructure Sectors
A PDF of a recent presentation by one of the authors of the reports at the CSI conference
|
