Defending From Within

Hackers, Ransomware, and denial of service attacks get all of the attention when it comes to Information Security. However, you will quite often hear IT Security personnel state that the biggest threat to an organization is from within. With this in mind, if an organization’s biggest threat is its own employees, what can be done about this as an organization to mitigate risks associated with employees?

An organizations IT resources are a valuable commodity. Protecting this commodity can cost an organization a large amount of money when not done properly. The development of an acceptable use policy (AUP) is a cost-effective way to begin securing an organizations network systems and services. Keeping in mind that our biggest threat is our own employees, it is right to assume that their misuse of company resources will occur, bringing unwanted risk, viruses, and in the worst of cases, denial of service attacks.

An AUP can and should define how organizational information technologies and systems are required to be used. Development of a clear and easy to understand AUP allows for users to know exactly what is expected of them, the rules of the road so to speak. The next key step is to have the employee sign this policy, acknowledging their understanding of what is allowed and what is not allowed. Part of this understanding will be that the organization is maintaining logs and backups of their information systems and that regular (at least annual) audits of these backups and logs are taking place to look for any misuse of resources.

While an AUP is one layer of the IT Security onion, organizations that combine a clear AUP, a dynamic security awareness training program as well as a more formal IT security policy are organizations with a foundation to build a strong IT security culture upon. The word “culture” is intentionally used in this case, because IT security should feel second nature to any secure organization.

New hire employees who are first brought on must receive IT Security training, sign off on an organizations AUP and regularly, if not annually be trained further on how to keep themselves, and the company safe from malicious behavior. Compass IT has lead the way for many organizations with modern effective IT security training, and assisted in the development of policies that have produced positive results for all organizations who team with Compass IT.

While an AUP is an important policy for an organization to have, there are other information security policies that should be in place to help an organization mitigate their overall risk. For more information on some of these policies, download a copy of our IT Security Policies eBook!