Patching Humans

Patching Humans

In 2009, back when I was the Chief Information Security Officer for Gala Coral Group, I wrote that one of the hot topics for many Chief Information Security Officers was reducing the potential for Data Loss.


In 2009, back when I was the Chief Information Security Officer for Gala Coral Group, I wrote that one of the hot topics for many Chief Information Security Officers was reducing the potential for Data Loss.

Today we are in 2012 and over the last four years no t much has changed.

For many information security officers and IT directors, suppliers have moved on from point solutions moving to address Data Loss Prevention after the realisation that to achieve the panacea of loss prevention is often too costly and damaging to productivity.

From the products I originally tested, I can say that they do what they say on the packaging, but it remains that in this economic climate, when boards are mandating decrease d budgets and businesses drive for lower operational costs, information security officers are constantly seeking other cheaper ways of achieving a similar result without large capital.

Good increases in data management can be achieved through a good information security awareness programme. A good awareness programme can make significant strides to decrease accidental loss of data, which is by far the most common cause of data breaches, and then use technical solutions to assist and complement the work of the awareness programme. Awareness programmes take time to set up and need buy-in from the very top of the business. Key executives are usually happy and eager to help; they see both the security benefits and the benefits of lower operating costs.

For example, the use of portable media has caused many businesses a large headache and has lead to a number of high-profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data a nd correctly using portable media devices.

This is not to say that you should not complement the training by issuing only encrypted portable devices and controlling data written to non-encrypted devices. In taking this step you reinforce the training and show the workforce that you are taking the matter seriously.

By viewing technology as an assistant to good information security practices rather than the primary enabler to information security you a re better placed to view the options open to the business, taking a broader spectrum view of your business practices allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise.

An excellent area within the realm of information security where the people element returns excellent gains is in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working and could lead to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance. This will help in identifying the many egress routes that data could potentially take out of the business.

A good security awareness programme will not safeguard against those rouge employees that want to take the data with them, however. This is where there is no replacement for the technical counter-measure. But with an awareness programme in place, employees will be aware of what will happen if they are found to have taken data and the HR department will have an easier time of dealing with these employees if you can prove they are fully aware of the policies and have taken part in the awareness training.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Scroll to Top