information security: a practical overview

Information Security: A Practical Overview

Using this course

There are three icons at the bottom of each page which you may find useful as you progress through the course.

Lesson Audio Download

menu on/off PDF

Course contents

The course can be completed in 20-30 minutes and includes the following lessons: Lesson 1: Introduction (4 minutes) Lesson 2: Practical Advice (14 minutes) Lesson 3: Learning Assessment (5 minutes) Lesson 4: Conclusion (2 minutes) Your progress is displayed at the top of each screen.

Lesson 1: Introduction


Introduction

Welcome to this practical overview of information security. This course reviews the risks that you face when dealing with confidential information. As new technology makes it easier and more convenient to store large amounts of information digitally and online, best practice to protect that information has become applicable in nearly everything that we do. This course will teach you the practical tips you need to know in order to ensure that your information remains safe and secure. We hope the course will be useful to you in your work and in your personal life!


Defining the term

To apply best practice correctly, let's start by clarifying what it means to keep information secure:

Information:

An asset that is important to a person or organisation’s business (regardless of whether it is stored digitally, in print or on any other type of media).

Security:

The duty to ensure that data is available and accurate while protecting it against theft and misuse.

An important mnemonic to remember here is “CIA”, which stands for the preservation of Confidentiality, Integrity and Availability of information.


A hot button issue

At home, we store bank records, healthcare information, income tax receipts and other confidential files and documents. In the office, we work with sensitive and valuable client and staff information every day. Therefore, we have a personal and professional obligation to protect the confidentiality and security of the information we hold. Unauthorised access or modification could result in both personal and professional disaster!


Information security breaches

A failure to preserve the CIA of information is called an information security breach.

A breach may not only tarnish our firm’s reputation, but could lead to the loss of clients as well as regulatory fines and penalties.


The importance of incident reporting

If you are concerned that an information security weakness exists or that an actual breach has taken place, you must report it to the appropriate person in our firm immediately. This will help ensure that information security weaknesses do not become breaches or – if they do – that critical information processing and business functions are restored as quickly as possible. Reporting also allows the incident to be recorded and considered during office risk assessments.


Everyone's responsibility

Threats and risks are constantly changing. To manage and control information security effectively, we need to take account of constant change and we must always strive to achieve information security best practice. It is a goal that applies to all individuals and to the organisational culture as a whole.

Bottom line: If you have any information security concerns, bring them to the attention of the manager who has responsibility for taking subsequent action. It's always better to be safe than sorry!

Lesson 2: Practical Advice


Instructions

In this lesson, you will meet six characters who have prevented or experienced different kinds of information security breaches. A lot of the mistakes that happen are not so obvious and we hope these stories will help you identify and avoid security risks in your own work and personal life.


Six areas of best practice

You must click on each character in order to proceed.

Mobile devices (Darren)

Passwords (Sandra)

Social networks (Scott)

Clear desk policy (Ron)

Composing email (Larissa)

Viruses and malware (Janet)


Mobile devices (scenario) Meet Darren. He loves his Smartphone and uses it to do everything from looking up movie times to online banking to taking pictures and writing emails. It’s also where he stores all of his business and personal contact information. He uses secure passwords and regular backing up to protect all of the information on his phone. But Darren is not always careful about using the device itself. Yesterday, while on the way to a client meeting, Darren called his partner to confirm some final details. The train was packed and Darren had to speak up. His conversation was overheard and the client’s confidential business was leaked.


Mobile devices (learning points) Information security is not always about the technology. If we want to learn from Darren’s mistakes, remember that: 1. We tend to speak louder into mobile phones, so think about who

may overhear your phone conversations. Make it a habit not to read, write or discuss confidential information in public.

2. Remember not only to secure your mobile device with password

protection, but also to store it in a safe place! Don’t leave it out on a table or in open sight. Instead, store it in a drawer, briefcase or hand bag.

3. Don’t have your Smartphone set to automatically connect to public

Wi-Fi networks and don’t leave Bluetooth auto-discovery on.

4. Only download apps that come from official sources. 5. Lastly, it’s important to encrypt confidential documents stored on

your device and back up this data frequently.


Passwords (scenario) This is Sandra. She knows it’s important to create a password that’s difficult for strangers to guess, but easy for her to remember. So, she decided to use her childhood street address as her standard password for her email, online banking, work computer, Facebook, LinkedIn and more. Sandra thought this password would protect her information from intruders. However, she soon found out that her Facebook account had been compromised. Since she used the same password for multiple accounts, none of her information was safe.


Passwords (learning points) Using strong passwords is extremely important when it comes to information security. A compromised password can result in theft of client information or even your own identity. So, keep the following tips in mind: 1. Do not re-use a secure password. Come up with different

passwords for your work computer, email accounts, bank accounts, mobile devices and social networking sites. Then if one password is compromised, the others are still secure.

2. Don’t use passwords that are simple for other people to guess, such as street addresses, birthdays, pet names or sequential numbers.

3. Choose passwords that appear complicated but are easy for you to remember. Try abbreviating a phrase that includes letters, numbers and special characters. For example, “My 2 kids are called Jill and Charlie” could be abbreviated to create a strong password: M2kacJ&C.

4. Protect your passwords. Don’t write them down or leave them lying

about and never share them with others.

5. Lastly, be cautious about using your passwords to access secure data on any device that does not belong to you or the firm. Make it a habit to only use machines you trust!


Social networks (scenario) Meet Scott. He works frequently with his colleague Jennie. She has left on a business trip to meet one of their clients. Shortly after her departure, Scott receives a LinkedIn message from Jennie saying that she’s lost her laptop and needs him to send her the documents they have been working on. She says that without her laptop, she cannot access her work email and would like him to send the information via LinkedIn. Scott sends her the information without another thought. However, it turns out that Jennie did not lose her laptop at all. Rather, her LinkedIn account was hacked by someone trying to maliciously acquire the business documents.


Social networks (learning points) Professional and social networking sites can be useful, but you need to be very careful when using them. Here are some general rules: 1. Never post or send any confidential information – about your firm,

any of your firm’s clients, your colleagues or yourself – on any website.

2. An unscrupulous person could create a social networking account with malicious intent to target you or the firm. Impersonating any person or organisation to trick you into revealing sensitive information is known as social engineering.

3. If your contacts tell you that they have received suspicious messages or links from you that you know you didn’t send, your account has probably been hacked.

4. If you are hacked, you need to change your password immediately and contact the Information Security Team if you are concerned about a leak of any firm or client information.

5. In general, assume that anything you put on a social networking site will become publicly accessible.


Clear desk policy (scenario) This is Ron. He has an important meeting today. Ron arrived at the office early to print client emails and notes for the meeting. Halfway through printing, the ink in Ron’s printer ran out. He cancelled the rest of the print job, left the printouts in the tray and copied the documents to a USB drive to print elsewhere in the office. When he returned, Ron put the USB drive down on his desk and opened his computer calendar to check the meeting information. Then he grabbed his briefcase and ran off to catch the train.


Clear desk policy (learning points) Personal and professional information is vulnerable and should be actively protected at all times. Complying with a “clear desk policy” can help you achieve this. Here are some general rules: 1. Do not leave calendars, day planners, portable media storage

devices, Post-Its or anything else containing sensitive information out on your desk or plugged into your computer. These items should be taken with you or stored in a locked drawer when you are not around.

2. Always remember to empty your printer tray. Printed pages should

be removed from the tray and securely stored (or shredded). 3. When you leave your computer, make it a habit to close

applications and log out. 4. At the end of the working day, allocate time to tidy your workspace

and safely put away all paperwork.

5. If you find papers you don’t need anymore, separate them into two piles: confidential or not confidential. Shred the confidential paperwork and recycle the rest.


Composing email (scenario) This is Larissa. She is working from her home office today and is conducting most communication with her team via email. She is working on an important case about the employment policies of a local university. Upon completing her review of some confidential data, she is interrupted by a personal phone call. Her secretary is waiting for the university data, so she opens up an email while still on the phone and starts writing [to Donna Thomas]. Outlook’s Auto-Complete function filled in the rest of the name without Larissa paying attention. She clicked “Send” and finished her phone call. Later, she realised Auto-Complete had actually filled in Donald Thomas’ email address and the university’s confidential information was leaked!


Composing email (learning points) Most people have inadvertently sent an email to an unintended recipient at some point or another. It’s a simple mistake – but one that can have embarrassing or even disastrous results! So take care when composing and responding to your messages and keep the following in mind: 1) The Outlook Auto-Complete feature automatically displays

suggestions for names and email addresses as you start to type in the To, CC or BCC boxes.

2) The suggestions are based on your previous emails, which means that if you ever typed an email address incorrectly or added one that was similar to an existing contact, all of these will be remembered and could cause confusion.

3) Pay close attention to Auto-Complete suggestions to ensure you

select the correct recipient. It’s a good idea to remove contacts that are no longer current or accurate so that a hastily sent email does not accidentally get sent to someone with a name similar to the intended recipient.

4) Be careful when using the Reply All feature. Always check the

recipient list first and remove any unnecessary names. You don’t want to accidentally send private information to the wrong people!

5) When forwarding a message with many emails in the thread, make

sure everything in the thread is appropriate for the recipient to see. If any part or parts are not necessary, delete that content from the thread.


Viruses and malware (scenario) Meet Janet. Janet just received an email from an internationally known company operating overseas. She has not worked with them previously. The email says they are trying to collect a debt from a third party located in Janet’s jurisdiction and require legal representation to do so. The message has a zip file attached and instructions for Janet to open it to familiarise herself with the case details and history. Being wary of email scams and never having heard from this company before, Janet is reluctant to open an attachment from the unknown sender. Instead, she asks the IT Department to take a look at the email on her computer. They recognise that the email is a fake and tell her that the zip file contains a malicious virus!


Viruses and malware (learning points) As we see from Janet’s example, it’s always better to be safe than sorry! Here are a few more tips about recognising and avoiding viruses and malware: 1. Are you sure the email actually came from the sender? Cyber

criminals can hide the origin of a message and make it appear to come from a trusted contact. This is known as email spoofing or forging email headers. This tactic is used to gain your trust and lead you to perform an action, such as opening an attachment or clicking on a link.

2. Check the body of the email content for proper greetings, grammar

and spelling. If the message is not addressed to anyone in particular or if it contains spelling and grammatical mistakes, these are often good indicators that the email is a scam.

3. An attached zip file should automatically be considered suspicious and put you on guard.

4. So, before you open attachments, make sure you know who the

sender is and that you trust the security of the attachment. If anything seems strange or out of place – do not open or download the attachment.

5. Remember to report suspicious emails to the IT Department so

that appropriate action can be taken or an internal communication sent out to warn others of a particular email scam.


Well done

You have just completed Lesson 2. We hope these stories have given you some practical context for information security best practice. Now, you are ready to continue to the next lesson to test your understanding of the course material.

Lesson 3: Learning Assessment


Instructions

Welcome to the Learning Assessment. You will now be presented with five multiple choice questions that will review the information covered in this course.

You must achieve the pass mark of ___% to complete the course.

Good luck!


Question 1

Information security is primarily a technology issue.

True

False


Feedback

Correct/Incorrect Information security is as much about technology as it is about culture. We need to make it standard practice at our firm to put in place controls that target both. It is not enough to simply use secure passwords if you leave your mobile devices unattended. Or you could be strictly compliant with the firm’s policy on not using public Wi-Fi networks while travelling, but if someone overhears you speaking on the phone, you could run into the very same security issues. So, to manage and control information security effectively, we must always strive to achieve information security best practice on all fronts.


Question 2

When creating a new password, you should NOT:

Use abbreviated phrases

Use names and birthdays

Use lowercase and uppercase letters


Feedback

Correct/Incorrect Creating secure passwords is of the utmost importance when you are handling confidential information. Remember to make new passwords that are:

not identical or too similar to ones you've previously used;

easy for you to remember; and

difficult for anyone else to guess. Note: Hackers may use information about you (e.g. your birthday, spouse’s name, address) or sophisticated computer programs to guess your password. So be sure to avoid obvious or simple passwords.


Question 3

What is a social engineer?

A person who designs, builds or maintains social networking sites

A person who attempts to acquire sensitive information by pretending to be someone they are not

A person who manages organisational leadership and compliance with employment and personal security laws


Feedback

Correct/Incorrect A social engineer is a con artist. They are people or entities who try to gain your trust in order to trick you into revealing passwords or other confidential information that could compromise the security of your client, your firm or you. If you receive an information request that seems odd or out of place, be sure to verify who sent it. If you cannot verify this, do not respond. Report the suspicious activity to your manager.


Question 4

What is the first thing you should do if you realise your LinkedIn account has been hacked?

Turn off your computer or mobile device

Sign out of your other social networking accounts

Change your password


Feedback

Correct/Incorrect If you are hacked, you need to change your password immediately. If the hacker has already changed the password, steps should be taken to remedy the lockdown of your account via the website controller. Contact the Information Security Team if you are concerned about a leak of any firm or client information. Bottom line: Threats and risks are constantly changing. If you are concerned that an information security breach has taken place, it's always better to be safe than sorry.


Question 5

How can you protect your mobile devices when away from the office?

Never leave them unattended

Use a security cable or physical lock

Check to make sure no one is looking or listening to your work

Set up a secure password or PIN code

All of the above


Feedback

Correct/Incorrect Remember: Information security is not always about the technology! Taking proper care of your mobile device is half the battle. Make it a habit to use mobile devices safely and securely and you will significantly reduce the risks of remote working. Think about it: If you were carrying a case of diamonds to a meeting, would you put it on the overhead rack of the train? Certainly not! You would hold the case and ensure that no unauthorised person touched it. Treat your laptop, mobile phone and other devices the same way.


Learning Assessment score

Well done! Click the 'next' arrow to continue to Lesson 4 and complete the course.

Lesson 4: Conclusion


Be aware of risks

Before we conclude, let's review a few final points:

Permanent staff, clients and visitors who have access to data and information can compromise that information by design or by accident.

All of our information must be actively protected against viruses, malware, hackers and other cyber criminals.


Firm procedures

Our firm has an information security policy that sets out appropriate procedures based on key areas of risk. It is important that you understand it thoroughly. If you have any questions or require any clarification on any part of our firm’s procedures, contact the appropriate person in our firm for guidance.


Conclusion

We live and work in an era of rapidly evolving technology. We hope that this course has helped you learn how to correctly use that new technology to work effectively, efficiently and safely.

Remember: Every staff member has a responsibility to be active in preventing information security breaches. If you identify a gap or vulnerability in our firm's security policy, it is your duty to report it. Thank you for completing this course.

information security: a practical overview

Documents