2. Learning objectives
Why information security?
What information is covered?
Classifying information
Information security in practice
Our company’s information security policy
3. Why is information security important?
Information is valuable… Information is personal…
4. What information is covered?
Personal
Legal
Corporate
Operational
If it’s not in the public domain, protect it!
5. Risks & consequences
The data’s value
The added risk of a direct attack – on our people or our systems
The cost of regulatory fines
The cost of restoring or recreating what’s lost
Reputational damage
6. When it goes wrong
Bank fined £500k
for data loss
Target loses
personal data of
70m customers
MP’s notes
photographed in
Downing Street
HIV clinic
accidentally leaks
patient details
Social worker
leaves court data
on car roof
7. Information Security breaches
Why do information security breaches occur?
a. Ignorance of the rules
e.g. policy violations caused by a lack of training
b. Failing to realize data was confidential
c. Insufficient methods to protect data
d. Deliberate leaks
e. User error
e.g. sending an email with data to the wrong people
8. Understanding the data universe
Data classification system
Lifecycle
Creation Storage/Retrieval (Use) Disposal
10. You make the call: What type is it?
Last year’s
annual company report
Confidential
Inside
Internal
Public
A client’s payment
details
Confidential
Inside
Internal
Public
Our company phone
directory and handbook
Confidential
Inside
Internal
Public
11. Communication & information security
I forwarded the
email without
thinking. I forgot to
check what else was
further down the
thread.
I clicked on Reply to All by
accident. The message went
to all our 3,000 employees.
The system was swamped
when people replied back.
Email Instant messages
12. Information security & the internet
Happy Birthday to my favourite client
Lydia Clarke
In Leeds today with Magee Investments
– exciting times ahead
Bye desk – see you in 2 weeks
13. Information security on the move
Eavesdropping
Shoulder surfing
Unsecure WiFi connections
Loss of physical information
Loss of equipment or devices
14. Opinion: Security & portable media
I lost a memory stick
after travelling to a
client meeting. The
data wasn’t
encrypted.
My laptop was
stolen on the train.
There wasn’t much
information on it but
that’s not the point.
15. Security in the cloud
Avoid content dumps –
copying everything as a
backup ‘just in case’
Conduct due diligence before
granting shared access
Allow shared logins
Create new folders to give
access to third parties
YES YES NO
YES
Give everyone the same
privileges and access rights
NO
Vet IT professionals who have
access to our cloud and file-
sharing services
YES
16. When it goes wrong
Email error blamed for
massive data breach
Security firm warns of
ransomware risk
Lightning strikes
Google’s cloud data
Greater Manchester
Police fined £120k for
memory stick robbery
Clinton used personal
email
Dropbox targeted by
Trojans
18. Scenario 1: Gloria’s holiday
What should she do?
I may be going away
but I still need to
keep on top of what’s
happening
a) Log in via remote access to access her work email account
b) Ask her colleagues to cc all the emails to her personal email
account
c) Forward emails directly to her mobile so she can pick them
up on the go
d) If it’s important, her team should call her instead – it’s more
secure
19. Scenario 2: Adam’s meeting
What should he do?
I’m off to
Manchester today
for a meeting and
need to take my
laptop…
a) It’s best to travel without devices to limit the risks
b) Ensure that he travels with minimal information, in case
of theft
c) Only use iOS products as they pose no security risks
d) Avoid discussing work in public places or in earshot of
others
20. Our Information Security Policy
Providing information and training – raising awareness
Carrying out regular risk assessments
Testing our systems are secure
Providing appropriate technology to keep information safe
Appointing people with specific responsibility for information security
Requiring everyone to read and implement our Information Security Policy
21. Do
Read our Company's Information Security Policy – make sure you understand our
rules and know what to do
Be aware of how data you use is classified
Take appropriate precautions whenever you use our information, right
throughout the lifecycle – from creation to disposal
Report any issues or breaches immediately to your manager – so we can limit our
losses
22. Don’t
Assume that everyone is entitled to see the same information as you
Leave your computer logged on or leave information unattended on your desk
Send or store sensitive information electronically without encryption
Forward our information to your personal devices
Share your login with anyone else
Let visitors walk around our offices unattended
24. Next steps
Call _____ on _____ if you need information or guidance
Call _____ on _____ if you need to raise concerns
Access self-study courses on our e-learning portal for further training [or
optionally – Complete your mandatory training on our corporate e-learning
portal]
Welcome to this session on Information Security. Thank you for attending.
This session should take us around 20 mins.
In this session we’ll look at:
Why information security?
What information is covered?
Classifying information
Information security in practice
Our company’s information security policy
[Ask delegates]
Why is information security important?
Every day we generate and consume ever-increasing amounts of information. Much of this information is of immense value to our business and the cost of losing it or having it stolen is hard to quantify.
The information we use often relates to individuals too. It’s vital that we take extra care to safeguard personal information. If we fail, it can have disastrous consequences.
That's why it's crucial that we protect all our information from those who shouldn't see it, from unauthorised use or access, from illegal copying, viewing, and deletion.
So, what information do we need to protect?
The main types are:
Personal information – eg about our customers or our employees, including their names, addresses, birthdates, contact details, bank or payment details, buying preferences, etc
Legal information – eg contracts and agreements with third parties, including our suppliers, partners, affiliates, customers, consultants, and employees
Corporate information – eg relating to our financial position, our strategy or corporate plans (expansions, mergers and acquisitions), and especially including anything which is not already in the public domain
Operational information – eg information about our internal processes or procedures, and how we operate; market intelligence
But, don't be fooled into thinking that it's just online information that's at risk. Physical documents are every bit as vulnerable.
Security is important for all our data - whether it's held physically or electronically, whether it's created by us or provided to us by third parties.
If it's not in the public domain, it needs protecting.
To understand the importance of information security, think about what impact it would have if any of our information was lost.
The consequences would be serious – both for our customers and our company.
We can assess the overall impact by considering:
The data’s value
The added risk of a direct attack – on people or systems
The cost of regulatory fines
The cost of restoring or recreating what’s lost
Reputational damage
Despite the obvious reputational damage, companies still get it wrong.
Here are some examples of cases that have hit the headlines recently.
[As an add-on, discuss other recent cases, if required.]
[Ask delegates]
Why do you think information security breaches occur?
[Allow time for reading and reflection before clicking next.]
In summary:
There are many reasons why information security breaches occur.
The most common ones include:
Failure to appreciate the importance of information security
Malicious attacks by hackers
Accidental loss
Negligence
Deliberate policy violations by internal staff (think Edward Snowden)
One of the best ways of safeguarding our information is to understand our entire data universe – ie what data we're dealing with - and then deciding what's appropriate.
We use a classification system to help us understand data sensitivity and ensure that our information is always given the right level of protection. And, that classification also governs what we can do with it – whether it can be shared and with whom, how it should be stored, who can see it, what they can do with it, etc.
By looking at the entire lifecycle, from the moment data is captured or created, its storage and retrieval, right through to disposal, we can ensure that we're taking the right action – at every stage - to safeguard it.
Any information we create or receive is classified, based on its value or criticality to us. Of course, some of our information is publicly available and freely disclosed without restrictions, whereas others are strictly confidential and therefore subject to tighter controls.
There are 4 ways in which we classify information:
1. Confidential – This applies to information that is only available to those who have a 'need to know'. It includes customer account details and HR records.
Compromising confidential information could lead to significant financial or reputational damage.
2. Inside – This is a sub-set of confidential information. It relates to the value of publicly traded securities, eg unpublished financial accounts, information on the progress of large projects, pending mergers, etc.
Releasing inside information inappropriately is a criminal offence punishable by imprisonment and fines.
3. Internal only – This can be freely shared with all members of staff but not released to third parties. It includes internal telephone directories and most of our compliance policies and procedures.
4. Public – This can be released to anyone outside our Company without restrictions. Examples include press releases, marketing material and some research produced by our Company.
Take a look at this example and decide what type of information it is.
[Allow for thinking time before clicking next]
By understanding how information is classified and its value to our business, you'll find it easier to protect it.
Like most companies, we rely on technology, especially for communication and to share information across our Company and beyond. Everything from email and instant messaging, to online conferencing, forums and smartphones.
But, the speed in which we communicate today can sometimes put data at risk, as these examples show.
[Include other examples from your own experience – corporate anecdotes – and allow time for discussion.]
Using the internet can also sometimes compromise information security, if we’re not careful and don't take precautions.
You’ll need to watch what you share, particularly when using social media. Oversharing information can cause serious problems.
For example:
Even the mere mention of a meeting with a company may breach our confidentiality agreements or privacy.
And, a seemingly harmless tweet about being in a certain place to 'seal a deal' with a kindred company may allow others to 'piece together the jigsaw' and forewarn of a merger.
It’s important to let our PR/Media department handle all official disclosures and public announcements. Refrain from sharing corporate information online unless it’s part of your job.
Keeping in touch with what's happening back at the office when you're on the move (for example, when travelling or working in different locations) is essential for most of us. But, there are risks too.
You may have to take calls, respond to emails, refer to corporate information on our internal servers, and more as you work at a distance.
You’ll need to take precautions and ‘think information security’ whenever you travel.
What can you do?
[Allow time for discussion before continuing]
Check over your shoulder before having a conversation on your mobile or using a laptop or tablet – who else is within earshot or can see it? Move somewhere private or offer to call them back to maintain confidentiality.
Set up password protection on all your devices – including Touch ID, two-factor authentication – before you travel
Keep data to a minimum when travelling, especially when travelling abroad on business
Don’t access our network or sensitive information using public WiFi connections - they aren’t secure
We often insist on having all our information at our fingertips whenever and wherever we need it.
Different types of media have helped make our data more portable, including DVDs, CDs, SD cards and USB memory sticks, and most store vast amounts of data.
But, there are risks here too.
Portable devices may be lost easily
There can be problems keeping it up-to-date – especially if it was downloaded some time ago
Malware can be spread easily by USBs and other portable media.
[Hold a discussion with delegates, before continuing. Are portable media allowed? If so, what precautions do they take? What more can they do?]
[Note: USBs containing malicious software are often dropped by cyber criminals outside company offices. Accessing them via our network can lead to serious cyber security breaches.]
Cloud storage and file-sharing sites (such as iCloud, Dropbox, Google Drive, Mega, and OneDrive) have revolutionised information storage and use, allowing us to access and exchange corporate information wherever and whenever we like.
Add to that the ability to make real-time synced changes to information, and it's not hard to see why they're so popular. But, there are risks too so we need to take precautions.
[Allow time for discussion before clicking next to identify best practice.]
Whenever and wherever we use information, we must prioritise security.
Information security breaches are serious. There may be devastating consequences for the individuals involved, not to mention significant damage to our reputation and fines.
Yet, companies are still failing to do enough to protect information.
[As an add-on, discuss other recent cases, if required.]
But, now, there’s an even greater incentive to get this right.
Under the General Data Protection Regulation there’s a much stricter regime and the fines have increased dramatically.
Companies now face fines of up to 4% of global turnover or €20 million (whichever is the higher).
So, it’s time to up our game and take this more seriously…
[Download our other presentation on GDPR for more.]
Gloria’s taking annual leave. She’s off to the South of France for a few days.
But the project she’s working on is at a critical phase – she wants to keep on top of her emails while she’s away.
What should she do?
[Allow for discussion and thinking time before clicking next again]
Business emails must not be forwarded to your mobile or personal email address - this creates a security risk.
Adam’s going to a meeting in Manchester. He needs access to key statistical information so he’s taking his laptop with him.
Then, after the meeting, he’ll need to call the office on his way home to give a progress report.
What action should he take to maintain information security?
[Allow for discussion and thinking time before clicking next again]
Travel can sometimes increase the risk of security breaches. For example, there may be eavesdropping on the train, you may leave documents at a client office in error, or use an unsecured connection as you take a break in a coffee shop. You can't avoid travel, but you must at least limit the risks.
Our Information Security Policy outlines our rules, processes and procedures.
We demonstrate our commitment to information security by:
Providing information and training – raising awareness
Carrying out regular risk assessments
Testing our systems are secure
Providing appropriate technology to keep information safe
Appointing people with specific responsibility for information security
Requiring everyone to read and implement our Information Security Policy
[As an add-on, provide everyone with a copy of your Information Security Policy and explain the key points. You might also introduce your Information Security/Data Protection Officer in the session giving them a 5-min slot to explain their work and offer advice.]
We can’t do this alone. Here's what you should do:
Read our Company's Information Security Policy – make sure you understand our rules and know what to do
Be aware of how data you use is classified
Take appropriate precautions whenever you use our information, right throughout the lifecycle – from creation to disposal
Report any issues or breaches immediately to your manager – so we can limit our losses
Talk to your manager if you have any concerns or if you have any suggestions on how we can improve data security.
Don't:
Assume that everyone is entitled to see the same information as you
Leave your computer logged on or leave information unattended on your desk
Send or store sensitive information electronically without encryption
Forward our information to your personal devices
Share your login with anyone else
Let visitors walk around our offices unattended
Do you have any questions?
You can get more help and information on this issue from these contacts.
Or, for a more in-depth look at this topic, access our self-study course.
![Information Security
Training Presentation
[name] [date]](https://image.slidesharecdn.com/cybersecuritytrainingpresentation-230425034954-62a3973b/85/cyber-securitytraining-presentationpptx-1-320.jpg)
