Everyone loves new technology because it’s fun and sexy. Look at how people line up to get the newest iPhone. New shiny objects always make us smile. Think about when you get a brand new car with all the latest gadgets.
Technology is wonderful, but it doesn’t do everything. If you have a car, but have no idea how to drive it, it isn’t much use. Of course you could get a chauffeur, but that’s a bit beyond my means. To make the car useful, you need some education.
That’s how it is with information security. Everyone wants to throw technology at it, but that doesn’t always solve the problem. You can set up a sophisticated alarm system in your home or business, but if no one teaches you how to turn it on, it’s useless.
The problem with education is that it doesn’t always yield quick and tangible benefits. It takes time, just like teaching your kids table manners (ok, bad analogy, since that’s a losing proposition for most of us). Technology has historically been more appealing because the perception is it will solve the problem. Most of the time, it’s not a silver bullet and can’t replace a solid framework for information security. That includes policies, procedures and education. Yawn!
Sorry if I woke you up, but that’s how it needs to be. Things don’t have to be boring or cumbersome. You can follow a few simple rules to get started.
1. Determine what you need to protect, based on how sensitive it is to your business.
2. Define how you will protect it and who should have access to it.
3. Educate people on what you determined in 1 and 2.
4. Implement access rights and protection measures.
5. Go back to number 1 and repeat.
This may sound overly simplified, but in essence this is what you need to do. Number 5 is critical, since new vulnerabilities and threats crop up all the time. I think by keeping it simple, you will actually do it. I realize that protecting sensitive information can get very complex, but it doesn’t need to be. A lot of companies don’t do the simple things to protect themselves, like making sure people log out of their computers when going to lunch.
These steps involve technology, policy and education. The last piece is very important. It’s not as sexy as the technology, but without it, the rest is a waste of time. It might sound obvious, but it amazes me how infrequently it’s done. It’s not always about sitting people in a classroom for hours on end. Education is ongoing and can be done fun. Look at all the great YouTube videos out there on everything from phishing scams to information security awareness. These are easy ways to get the message across in an entertaining way. You can create either create your own or use what’s already out there.
Hmm, maybe education can be sexy.
Photo credit Savant Systems