20 tips for information security around human factors and human error
Good security sticks to efficiency of business.
Not protection of information. Utilize them.
Bad security is reactive and passive.
You should close your company, if your goal
is just to avoid information leakage.
Dwell on why you are using a number of
information and computers.
Good goal is more concrete and intentional
about business; it mentions about service
time, service quality and security quality.
The Weakest link dooms your company
◦ A security expert company, which has excellent
management on email and web, was attacked via
FAX. A fraud FAX deceived the employee into
changing security settings.
Survey all equipment, systems, information
flows in your company.
Imagine your business scene.
◦ “Go out for the customers with bringing laptops.
Give presentation, Negotiate, send mail and so on.”
When, where, why, what, and how much is
Reveal the minimum set of necessary
Over 90% of accidents is caused by
employees; lost of information, sending
wrong address, and mistakes about system
Apply Systematic protection
◦ Email system to prevent wrong emailing.
Make Management more practical
◦ Consider why your employees behave so risky to
bring out the information. Is there any
inconvenience at your office?
Wrong security policy is dangerous.
◦ “Do not connect PCs to the net.” People uses USB
memories to convey files. Lose memories.
There is no silver bullet. Even the best
methods have some bad side effects.
Compare several ways to promote your
business and security.
Information security is the main issue of
The best and brightest employees should
take care of it.
Technology experts are to support.
Plan before incidents
Reinforce the security policy periodically
Drill against human error incidents and cyber
The 3 typical tactics of cyber fraud
1. Authority impersonation
◦ “The security department require you to read the
attachment file of this mail!”
2. Panic maker
◦ “I am meeting the customer and need to open a
locked file. Please tell me the password now!”
3. Lightly-favored trap
◦ “Lights of someone’s car in the parking is left on.
The photo is attacked to this mail.”
Change typical mail addresses as decoys
◦ email@example.com, firstname.lastname@example.org, etc.
Prepare decoy names of company employees
◦ Adversary: “Sorry, I forget the name of the person I
◦ Employee: “Well, Mr. Suzuki is our boss.”
◦ Adversary: “Yes, Mr. Suzuki is he.”
◦ Employee: “There is no such person in our
Passwords are hard to hide perfectly.
◦ Key logger, reusing same password, etc.
Do not rely only on passwords.
Require additional and physical keys to
Naïve passwords are often attacked, but they
are very popular.
◦ “123456”, “password”, “admin” , etc.
Even complex passwords are breakable when
they are challenged limitless times. (Offline
◦ Locking files by passwords are not safe.
Very complex passwords will be written down
and posted around the desk.
Two-factor authentication is recommended
for various business uses.
Guessing is very easy.
◦ Birthday date, year.
◦ Telephone number
◦ Car number
◦ Postal code
The present state may be not safe anymore.
◦ Technology changes quickly.
◦ Severe security holes are found every month.
◦ Old-fashioned technology like FAX should be
reconsidered to be continued.
Buy powerful solutions, if you have enough
Otherwise, change the policy more protective.
Watch “122” and read as “112”
Separate long sequences of digits into 2-digit
◦ Write as “12-2”
PC can read numbers aloud. Hear the voice to
check the numbers.
Risks are often hidden individually.
◦ Violations of security policy.
◦ Virus-affected PC.
◦ Passwords known only by one person.
During long vacation, the risks cannot be
Retiring employees bring information with
◦ Knowledge in the brain is inerasable. There is no
Have audits with them, and make consensus
about information management.
◦ What kinds of information are left, and what are not.
Do not put all eggs in one basket
◦ Files accessible for everyone?
◦ PCs open to everyone?
◦ Administrators always use powerful admin account?
Put partitions for information.
Information becomes power when it is
If you say nothing, the counterpart says
◦ Too strict security policy stops your business.
Plan win-win strategy
◦ Some of your information can be given to the
counterpart without damaging you.
◦ Likewise, some of their information are vice versa.
Information flow must not stop especially
◦ Natural disasters
◦ Business disasters (Terrors against your products)
Keep several channels to communicate with
customers, employees, and neighborhoods.
Utilize social networking services.