“In many companies the security of
information rests precariously on
the honesty, integrity and care of the
staff, and nothing else.”
Why is this
called “the
ostrich effect”?
1
M11, P15 – Are You Sufficiently Prepared to Meet the Threat?
A 2009 Ponemon Institute report
revealed that over 50% of disaffected
employees target company
information as they prepare to
depart.
Might this happen in our
company, or are we different
because all of our employees are
contented?
How can we begin to address this
problem by technical and nontechnical means?
M11, P42 – Sources and Motivations of Malicious Insiders
3
Could it happen here?
How do we protect out databases? Are there any
weaknesses in our approach?
M11, P42 – Sources and Motivations of Malicious Insiders
3
Social engineering emails seek
to get you to click on links in
order to steal your private
information.
This message is designed
to trick recipients into
infecting the network.
What awareness
programmes to we have
in place to reduce the risk
of users clicking on
infected links?
M11, P37 – Social Engineering
3
What are
these and
where might
you find one?
Is there a company
procedure to check the
connections on the
back of our computers?
M11, P34 – Technical Surveillance
3
M11, P34 – Technical Surveillance
3
Which of these presents a
better opportunity to today’s
information thief?
M11, P39 – Data Slurping
3
Company Information Security Policy Extract
P
A
S
S
W
O
R
D
S
“All user-chosen passwords must be difficult to guess. You
must not use:
• Words in a dictionary, derivatives of userIDs, names of
celebrities, obscene words, and common character
sequences such as 12345.
• Personal details such as birthdays, spouse’s name, car
licence plate, social security number or employee number,
and birthday.
• Any part of speech. For example, proper names,
geographical locations, common acronyms and slang.”
The best passwords are those that include a mix of upper- and
lowercase letters, numbers and non-alphanumeric characters.
Company Information Security Policy, Section xyz
Company Information Security Policy Extract
P
A
S
PS
R
W
OI
V
R
A
D
CS
Y
“All identifying information about customers and staff, such as
bank account details, credit card information, credit
references, background checks, dates of birth, email and
postal addresses etc., must be accessible ONLY to those
Company personnel who need such access in order to perform
their jobs.”
To share such information with other parties, or to
inadvertently or negligently disclose such, may put
the Company in breach of data protection legislation.
Company Information Security Policy, Section xyz
Let’s go around the room and
agree on an action point that each
participant is going to take away
today….
3