Information Security is About More than Computers

An information security incident can damage your reputation and cost a lot to recover from. Such breaches often are caused by the action or inaction of people associated with the company not handling the physical security of sensitive information properly. Every person working in an organization has a role to play in keeping information secure and preventing breaches.

In the example below, real estate documents with clients’ names and personal information were discovered in a dumpster near a brokerage. This incident was the result of the broker and employees failing to safeguard the company’s information in physical form.

CBS News article about one of many real estate companies
that have lost their reputations due to an information security breach

dumpster full of personal information discovered

I have many other screenshots of similar news articles about physical security breaches.

Assessing how sensitive information flows through the office branches as well as home offices and exploring what protections need to be put in place is an important part of a brokerage information security assessment.

Various Roles Responsible for Information Security

The most important person to involve in any information security effort is the owner or manager. In securing information, their main duty is risk management. The first step is to identify risk: what sensitive information is handled by the business and who is responsible for it. The second step is to analyze the risk to that information as it is collected, transported, transmitted, stored, displayed, and disposed of—in both physical and electronic forms. Once the risks have been identified and analyzed, the final step is to reduce risk by implementing policies and procedures to manage risk in both the electronic and physical domains. All employees are then charged with following best practices. Policies should also be written into contracts with third parties, and this often involves both technical and legal resources.

It can’t be emphasized too strongly that information security risk management covers the entirety of the business. Many areas of risk go well beyond the purview of IT staff: policy and procedure, physical security, human resources, and contracts all are outside their domain.

Even those aspects of information security that may seem technical depend on non-technical management for their success. Some technologists may be reluctant to engage a third party for a security assessment, fearing that they may end up looking bad; management must take charge. Sometimes technologists want to follow best practices, but need support from management. For example, sometimes technologists may wish other employees used stronger passwords and want to put technical settings in place to enforce that.  But if they did so, other staff (including possibly their boss!) may complain and the inconvenience of the settings, which would probably then be undone.  However, if the owner or manager had created a company password policy and had educated staff about it, the technologist would not experience pushback or at least have “air support” for the change. This is just one of many examples of how effective technical controls require the cooperation of management, technical staff, and everyone else in the organization that uses computers, in order to succeed.

technical and non-technical aspects of information security

With an ongoing commitment from everyone in an organization – owners and managers collaborating with technical, legal and all other employees and contractors – risks can be identified, analyzed, and effectively managed. Although there is no such thing as “100% secure,” with everyone working together the risk of an embarrassing, costly security incident can be substantially reduced.