Poor InfoSec Practices: Lessons to Be Learnt

Introduction
Some organizations and employees tend to relegate the need for proper information security (InfoSec) practices in their day to day activities. This article examines the negative effects of poor InfoSec practices within organizations and the lessons employees and organizations will have to learn from some InfoSec incidents.

Information
Information is an important business asset, just like human resources, buildings, and vehicles of a company and hence needs to be adequately protected. Without adequate protection, InfoSec breaches can cost organizations millions of Ghana Cedis. Information exists in many forms. It can either be printed or written on any material, stored electronically, visual, verbal, on the internet or intangible (resides in humans). It should be noted that it is extremely important to provide the right protection to information, irrespective of its form, means of storage or means of sharing.

InfoSec Incidents
There was an incident where an employee of a financial institution recorded (Videoed) a customer who was being seriously assaulted by security personnel on the company’s premises. The video was shared on social media and went viral. It gained the attention of the traditional media, civil society organizations, the Inspector General of Police, Trade Union Congress, some political actors and a host of others. Similar attitude of this careless employee can be found in many organizations. Some employees take photographs in very sensitive areas of their offices and indiscriminately post them on social media. I was once having a discussion with a Banker, and the name of a popular Ghanaian came up in that discussion. The Banker deviated from the conversation and started telling me about the amount of money in the bank account of that person. The Banker further continued to tell me the amount of money in the account of that person’s spouse. I also had a discussion with one government worker, and without any request, the person showed me very sensitive organizational information from his phone. In another case, there are reported cases of former employees of companies continuously receiving sensitive corporate information from current employees of that company. In all the aforementioned instances, I did not only get extremely amazed but got very scared of the type of employees organizations have nurtured.

The Lessons
Many people misconstrue InfoSec to security of computers and computerized information systems, which is a grave misconception. There are three elements to InfoSec; which consists of People, Processes and Technology. People: is made up of shareholders, management, staff, customers and consultants of an organization. Process consists of the various business processes that help organizations to deliver services or products to their clients. Technology refers to tools like computers and software that help organizations to undertake business processes. In a nutshell, the people use technology to undertake business processes. In order to ensure robust InfoSec within organizations, all these three elements need to be adequately protected because weakness in any of them can be a catalyst for InfoSec breaches. It is evident from the first incident cited that, a single act of a careless employee can create a lot of problems for stakeholders of a company. Making the video public seriously dented the reputation of the company and its employees. The company might have lost huge sums of money by way of panic withdrawals, public relations and compensation costs, as well as lose customers and potential customers. The reputation of the Security Service was also not spared. It was seriously bashed by the public due to the heinous act of the policeman seen in the video footage. The video exposé resulted in the suspension of some employees of the company and the trial of the police officer. It also affected some customers in one way or the other.

Conclusion
From the narrated incident, we realize how poor InfoSec practice can ruin the hard-won reputation of a company within some few hours. Employees and organizations need to take serious lessons from this incident and put in place stringent measures to curtail similar occurrence within their environments. Organizations need to put in place strong administrative measures to ensure change in employees’ behavior and attitude through implementation of InfoSec policies and organizing regular InfoSec awareness training and education for employees. Employees also need to eschew unprofessional InfoSec practices; they must always be mindful of their actions and inactions with regards to corporate and personal information.

Author: Sherrif Issah – (Consultant @ Digital Jewels Ltd. and Member, Institute of ICT Professionals, Ghana)