When working to establish an Information Security Management System in line with the requirements of the ISO 27001 standard it is easy to think that the main challenge would be writing all the policies and procedures and implementing all the controls.
As is common practice, your organisation establishes an ISMS, implements all necessary controls, publishes all the relevant policies, ensures staff has signed them to confirm they have been read and understood, and issues mandatory information security training modules.
While that is all necessary, not just to achieve compliance with the standard but to implement best practices across the organisation, policies will not be effective if they are not followed by your staff, including senior Management!
Let’s put this into perspective.
Your staff, having signed your company Clear Desk and Clear Screen Policy, knows never to leave their screen unlocked when they leave their desk.
Not long after, one of your users leaves their screen unlocked when picking up some documents from the printer. They’re in the same room, they can see their screen, so they think there is no risk to security, and this becomes common practice for them.
One of their colleagues, instead of challenging them, adopts the same approach when going to the kitchen to get themselves a drink. This time, they have to leave the room, but are confident that their colleagues who remain in the office area will make sure no unauthorised user has access to the information on their screen.
Before you know it, several people in the office have adopted this practice!
Let’s look at another example.
Your organisation’s Physical Security Policy states that all visitors should be issued a guest pass and escorted at all times when on your organisation’s premises. One day one member of staff sees someone they don’t know walking around the office but don’t challenge them because they know one of their colleagues is expecting a visitor, and this must be them.
In both cases, we’re looking at low-risk scenarios, albeit in breach with your company policies.
Is it still a low-risk scenario, if an unaccompanied visitor has been left walking around your office, potentially having access to confidential information on a screen that was left unlocked and unattended?
Of course, we can hope the visitor has no malicious intentions and can be trusted, and that technical controls are in place to mitigate the risk, but you shouldn’t leave the security of your organisation’s and our clients’ information exclusively down to trust.
Employees are your first line of defence, and while they should be held accountable, they should also be provided all the tools to succeed, including “appropriate information security awareness, education and training and regular updates of the organization’s information security policy, topic-specific policies and procedures, as relevant for their job function” (ISO 27001:2022 Control A.6.3).
How can you ensure that employees don’t become a risk to the security of your Organisation?
- Rely on a robust awareness training programme, with modules released monthly (as opposed to annually) to ensure continual awareness
- Ensure that your policies are reviewed periodically, and reissued to staff to sign after each review;
- Establish an audit programme, to assess whether your Company Policies are being followed;
- Re-issue relevant training modules to all members of staff found in breach of your Policies;
- Make sure your Top Management is on board, as they will be setting an example for the whole organisation.
And finally – implement a positive security culture where team members are encouraged and congratulated for adopting positive security practices…..and if someone makes a mistake…..don’t punish them for it, gently explain what they did wrong, and the importance of getting it right next time!