Here in hackercombat.com, we feature stories of virus infection, phishing incidents and other issues involving private and public sectors because of external risks. However, IT troubles in companies are not really made by outsiders, but human error inside the organization. It is necessary to think about how employees really think about the notion of “do not leak information”, “don’t do this”, “don’t do that”. Too many rules to a point that people in the organization forget some of them, potentially doing something with the nasty result. It is not a walk-in-the-park for any company can recover from a very bad “human error”.
Below are types of human errors:
1. Human Error in Management
It may be difficult to understand what it means to say “management error”, examples are:
- Lost of personal information after moving.
- The confirmation of delivery of personal information is insufficient, and the personal information that should have been received is lost
- Disclosure of information, management rules have not been clarified and have been disclosed by mistake
Even though there are information management rules and security policies in a company, management has not been done according to those rules. Or there is a possibility that such a rule has not been decided at all. This indicates that it is important for employees to undergo security education etc. thoroughly, and that management procedures regarding company information including personal information are important.
2. Misoperation
This is true for both emails and faxes. Entering wrong addresses, wrong content, wrong attachment, etc. This is one of the most common of all human errors. It is necessary to thoroughly educate employees on security so as not to make such mistakes.
3. Unauthorized access
Although the rate is low compared to mismanagement and mis-operation, external unauthorized access via the Internet is continuously performed, and its attack methods are also evolving. Since this is often accompanied by attacks such as malware, it is important to be careful as it leads to the stealing of a lot of personal information if it is damaged. Basic security measures such as “install anti-virus software“ are important but not absolute measures against “unauthorized access“.
4. Lost and misplaced
It is a case that brings out information equipment such as a personal computer outside the work area, including the data it contains or it is lost/misplaced. Nowadays, tablet PCs and smartphones contain a lot of information, so it requires careful handling. It seems that it is frequent to get drunk and to leave it, but it is the worst thing. Because this lost/forgotten occurs at a high rate, it is necessary to take measures such as establishing strict rules for taking out data.
5. Unauthorized takeout and theft
To raise awareness for those who handle information. Implement a mechanism that can not be easily taken out by the information system, and that it can not be used even when taken out. This is based on the idea that access to information and security precautions should be addressed by both the person who uses it, the system that handles it, both are usually not enough in a typical organization.
Practical ways to prevent IT issues caused by “human errors”:
- Information learned from the firm, should remain in the firm.Do not bring out information assets of companies or organizations outside. Specifically, take your laptop computer, USB memory, etc. home without permission. If permission is provided, make sure the storage devices are encrypted. This will prevent information leakage in the event that the laptop or storage device is lost.
- Do not leave important documents on the desk, likewise never write critical information on post-it notes and never paste it on the monitor.
- Do not leave the computer without locking the screen
- Do not discard information assets easily without measures. Be sure to erase etc. Specifically, when discarding a PC, be sure to delete the data on the hard disk if not physically destroy the disk.
- Do not inadvertently bring private equipment (PCs etc.) into the company, unless BYOD is allowed.
- Lock and No Loan – Do not lend or transfer the rights given to an individual to others without permission
- Prohibition of information – Do not profess the information you have learned on business without permission.
