information security: a practical overview
TRANSCRIPT
Information Security: A Practical Overview
Using this course
There are three icons at the bottom of each page which you may find useful as you progress through the course.
Lesson Audio Download
menu on/off PDF
Course contents
The course can be completed in 20-30 minutes and includes the following lessons: Lesson 1: Introduction (4 minutes) Lesson 2: Practical Advice (14 minutes) Lesson 3: Learning Assessment (5 minutes) Lesson 4: Conclusion (2 minutes) Your progress is displayed at the top of each screen.
Lesson 1: Introduction
Lesson 1: Introduction
Introduction
Welcome to this practical overview of information security. This course reviews the risks that you face when dealing with confidential information. As new technology makes it easier and more convenient to store large amounts of information digitally and online, best practice to protect that information has become applicable in nearly everything that we do. This course will teach you the practical tips you need to know in order to ensure that your information remains safe and secure. We hope the course will be useful to you in your work and in your personal life!
Lesson 1: Introduction
Defining the term
To apply best practice correctly, let's start by clarifying what it means to keep information secure:
Information:
An asset that is important to a person or organisation’s business (regardless of whether it is stored digitally, in print or on any other type of media).
Security:
The duty to ensure that data is available and accurate while protecting it against theft and misuse.
An important mnemonic to remember here is “CIA”, which stands for the preservation of Confidentiality, Integrity and Availability of information.
Lesson 1: Introduction
A hot button issue
At home, we store bank records, healthcare information, income tax receipts and other confidential files and documents. In the office, we work with sensitive and valuable client and staff information every day. Therefore, we have a personal and professional obligation to protect the confidentiality and security of the information we hold. Unauthorised access or modification could result in both personal and professional disaster!
Lesson 1: Introduction
Information security breaches
A failure to preserve the CIA of information is called an information security breach.
A breach may not only tarnish our firm’s reputation, but could lead to the loss of clients as well as regulatory fines and penalties.
Lesson 1: Introduction
The importance of incident reporting
If you are concerned that an information security weakness exists or that an actual breach has taken place, you must report it to the appropriate person in our firm immediately. This will help ensure that information security weaknesses do not become breaches or – if they do – that critical information processing and business functions are restored as quickly as possible. Reporting also allows the incident to be recorded and considered during office risk assessments.
Lesson 1: Introduction
Everyone's responsibility
Threats and risks are constantly changing. To manage and control information security effectively, we need to take account of constant change and we must always strive to achieve information security best practice. It is a goal that applies to all individuals and to the organisational culture as a whole.
Bottom line: If you have any information security concerns, bring them to the attention of the manager who has responsibility for taking subsequent action. It's always better to be safe than sorry!
Lesson 2: Practical Advice
Lesson 2: Practical Advice
Instructions
In this lesson, you will meet six characters who have prevented or experienced different kinds of information security breaches. A lot of the mistakes that happen are not so obvious and we hope these stories will help you identify and avoid security risks in your own work and personal life.
Lesson 2: Practical Advice
Six areas of best practice
You must click on each character in order to proceed.
Mobile devices (Darren)
Passwords (Sandra)
Social networks (Scott)
Clear desk policy (Ron)
Composing email (Larissa)
Viruses and malware (Janet)
Lesson 2: Practical Advice
Mobile devices (scenario) Meet Darren. He loves his Smartphone and uses it to do everything from looking up movie times to online banking to taking pictures and writing emails. It’s also where he stores all of his business and personal contact information. He uses secure passwords and regular backing up to protect all of the information on his phone. But Darren is not always careful about using the device itself. Yesterday, while on the way to a client meeting, Darren called his partner to confirm some final details. The train was packed and Darren had to speak up. His conversation was overheard and the client’s confidential business was leaked.
Lesson 2: Practical Advice
Mobile devices (learning points) Information security is not always about the technology. If we want to learn from Darren’s mistakes, remember that: 1. We tend to speak louder into mobile phones, so think about who
may overhear your phone conversations. Make it a habit not to read, write or discuss confidential information in public.
2. Remember not only to secure your mobile device with password
protection, but also to store it in a safe place! Don’t leave it out on a table or in open sight. Instead, store it in a drawer, briefcase or hand bag.
3. Don’t have your Smartphone set to automatically connect to public
Wi-Fi networks and don’t leave Bluetooth auto-discovery on.
4. Only download apps that come from official sources. 5. Lastly, it’s important to encrypt confidential documents stored on
your device and back up this data frequently.
Lesson 2: Practical Advice
Passwords (scenario) This is Sandra. She knows it’s important to create a password that’s difficult for strangers to guess, but easy for her to remember. So, she decided to use her childhood street address as her standard password for her email, online banking, work computer, Facebook, LinkedIn and more. Sandra thought this password would protect her information from intruders. However, she soon found out that her Facebook account had been compromised. Since she used the same password for multiple accounts, none of her information was safe.
Lesson 2: Practical Advice
Passwords (learning points) Using strong passwords is extremely important when it comes to information security. A compromised password can result in theft of client information or even your own identity. So, keep the following tips in mind: 1. Do not re-use a secure password. Come up with different
passwords for your work computer, email accounts, bank accounts, mobile devices and social networking sites. Then if one password is compromised, the others are still secure.
2. Don’t use passwords that are simple for other people to guess, such as street addresses, birthdays, pet names or sequential numbers.
3. Choose passwords that appear complicated but are easy for you to remember. Try abbreviating a phrase that includes letters, numbers and special characters. For example, “My 2 kids are called Jill and Charlie” could be abbreviated to create a strong password: M2kacJ&C.
4. Protect your passwords. Don’t write them down or leave them lying
about and never share them with others.
5. Lastly, be cautious about using your passwords to access secure data on any device that does not belong to you or the firm. Make it a habit to only use machines you trust!
Lesson 2: Practical Advice
Social networks (scenario) Meet Scott. He works frequently with his colleague Jennie. She has left on a business trip to meet one of their clients. Shortly after her departure, Scott receives a LinkedIn message from Jennie saying that she’s lost her laptop and needs him to send her the documents they have been working on. She says that without her laptop, she cannot access her work email and would like him to send the information via LinkedIn. Scott sends her the information without another thought. However, it turns out that Jennie did not lose her laptop at all. Rather, her LinkedIn account was hacked by someone trying to maliciously acquire the business documents.
Lesson 2: Practical Advice
Social networks (learning points) Professional and social networking sites can be useful, but you need to be very careful when using them. Here are some general rules: 1. Never post or send any confidential information – about your firm,
any of your firm’s clients, your colleagues or yourself – on any website.
2. An unscrupulous person could create a social networking account with malicious intent to target you or the firm. Impersonating any person or organisation to trick you into revealing sensitive information is known as social engineering.
3. If your contacts tell you that they have received suspicious messages or links from you that you know you didn’t send, your account has probably been hacked.
4. If you are hacked, you need to change your password immediately and contact the Information Security Team if you are concerned about a leak of any firm or client information.
5. In general, assume that anything you put on a social networking site will become publicly accessible.
Lesson 2: Practical Advice
Clear desk policy (scenario) This is Ron. He has an important meeting today. Ron arrived at the office early to print client emails and notes for the meeting. Halfway through printing, the ink in Ron’s printer ran out. He cancelled the rest of the print job, left the printouts in the tray and copied the documents to a USB drive to print elsewhere in the office. When he returned, Ron put the USB drive down on his desk and opened his computer calendar to check the meeting information. Then he grabbed his briefcase and ran off to catch the train.
Lesson 2: Practical Advice
Clear desk policy (learning points) Personal and professional information is vulnerable and should be actively protected at all times. Complying with a “clear desk policy” can help you achieve this. Here are some general rules: 1. Do not leave calendars, day planners, portable media storage
devices, Post-Its or anything else containing sensitive information out on your desk or plugged into your computer. These items should be taken with you or stored in a locked drawer when you are not around.
2. Always remember to empty your printer tray. Printed pages should
be removed from the tray and securely stored (or shredded). 3. When you leave your computer, make it a habit to close
applications and log out. 4. At the end of the working day, allocate time to tidy your workspace
and safely put away all paperwork.
5. If you find papers you don’t need anymore, separate them into two piles: confidential or not confidential. Shred the confidential paperwork and recycle the rest.
Lesson 2: Practical Advice
Composing email (scenario) This is Larissa. She is working from her home office today and is conducting most communication with her team via email. She is working on an important case about the employment policies of a local university. Upon completing her review of some confidential data, she is interrupted by a personal phone call. Her secretary is waiting for the university data, so she opens up an email while still on the phone and starts writing [to Donna Thomas]. Outlook’s Auto-Complete function filled in the rest of the name without Larissa paying attention. She clicked “Send” and finished her phone call. Later, she realised Auto-Complete had actually filled in Donald Thomas’ email address and the university’s confidential information was leaked!
Lesson 2: Practical Advice
Composing email (learning points) Most people have inadvertently sent an email to an unintended recipient at some point or another. It’s a simple mistake – but one that can have embarrassing or even disastrous results! So take care when composing and responding to your messages and keep the following in mind: 1) The Outlook Auto-Complete feature automatically displays
suggestions for names and email addresses as you start to type in the To, CC or BCC boxes.
2) The suggestions are based on your previous emails, which means that if you ever typed an email address incorrectly or added one that was similar to an existing contact, all of these will be remembered and could cause confusion.
3) Pay close attention to Auto-Complete suggestions to ensure you
select the correct recipient. It’s a good idea to remove contacts that are no longer current or accurate so that a hastily sent email does not accidentally get sent to someone with a name similar to the intended recipient.
4) Be careful when using the Reply All feature. Always check the
recipient list first and remove any unnecessary names. You don’t want to accidentally send private information to the wrong people!
5) When forwarding a message with many emails in the thread, make
sure everything in the thread is appropriate for the recipient to see. If any part or parts are not necessary, delete that content from the thread.
Lesson 2: Practical Advice
Viruses and malware (scenario) Meet Janet. Janet just received an email from an internationally known company operating overseas. She has not worked with them previously. The email says they are trying to collect a debt from a third party located in Janet’s jurisdiction and require legal representation to do so. The message has a zip file attached and instructions for Janet to open it to familiarise herself with the case details and history. Being wary of email scams and never having heard from this company before, Janet is reluctant to open an attachment from the unknown sender. Instead, she asks the IT Department to take a look at the email on her computer. They recognise that the email is a fake and tell her that the zip file contains a malicious virus!
Lesson 2: Practical Advice
Viruses and malware (learning points) As we see from Janet’s example, it’s always better to be safe than sorry! Here are a few more tips about recognising and avoiding viruses and malware: 1. Are you sure the email actually came from the sender? Cyber
criminals can hide the origin of a message and make it appear to come from a trusted contact. This is known as email spoofing or forging email headers. This tactic is used to gain your trust and lead you to perform an action, such as opening an attachment or clicking on a link.
2. Check the body of the email content for proper greetings, grammar
and spelling. If the message is not addressed to anyone in particular or if it contains spelling and grammatical mistakes, these are often good indicators that the email is a scam.
3. An attached zip file should automatically be considered suspicious and put you on guard.
4. So, before you open attachments, make sure you know who the
sender is and that you trust the security of the attachment. If anything seems strange or out of place – do not open or download the attachment.
5. Remember to report suspicious emails to the IT Department so
that appropriate action can be taken or an internal communication sent out to warn others of a particular email scam.
Lesson 2: Practical Advice
Well done
You have just completed Lesson 2. We hope these stories have given you some practical context for information security best practice. Now, you are ready to continue to the next lesson to test your understanding of the course material.
Lesson 3: Learning Assessment
Lesson 3: Learning Assessment
Instructions
Welcome to the Learning Assessment. You will now be presented with five multiple choice questions that will review the information covered in this course.
You must achieve the pass mark of ___% to complete the course.
Good luck!
Lesson 3: Learning Assessment
Question 1
Information security is primarily a technology issue.
True
False
Lesson 3: Learning Assessment
Feedback
Correct/Incorrect Information security is as much about technology as it is about culture. We need to make it standard practice at our firm to put in place controls that target both. It is not enough to simply use secure passwords if you leave your mobile devices unattended. Or you could be strictly compliant with the firm’s policy on not using public Wi-Fi networks while travelling, but if someone overhears you speaking on the phone, you could run into the very same security issues. So, to manage and control information security effectively, we must always strive to achieve information security best practice on all fronts.
Lesson 3: Learning Assessment
Question 2
When creating a new password, you should NOT:
Use abbreviated phrases
Use names and birthdays
Use lowercase and uppercase letters
Lesson 3: Learning Assessment
Feedback
Correct/Incorrect Creating secure passwords is of the utmost importance when you are handling confidential information. Remember to make new passwords that are:
not identical or too similar to ones you've previously used;
easy for you to remember; and
difficult for anyone else to guess. Note: Hackers may use information about you (e.g. your birthday, spouse’s name, address) or sophisticated computer programs to guess your password. So be sure to avoid obvious or simple passwords.
Lesson 3: Learning Assessment
Question 3
What is a social engineer?
A person who designs, builds or maintains social networking sites
A person who attempts to acquire sensitive information by pretending to be someone they are not
A person who manages organisational leadership and compliance with employment and personal security laws
Lesson 3: Learning Assessment
Feedback
Correct/Incorrect A social engineer is a con artist. They are people or entities who try to gain your trust in order to trick you into revealing passwords or other confidential information that could compromise the security of your client, your firm or you. If you receive an information request that seems odd or out of place, be sure to verify who sent it. If you cannot verify this, do not respond. Report the suspicious activity to your manager.
Lesson 3: Learning Assessment
Question 4
What is the first thing you should do if you realise your LinkedIn account has been hacked?
Turn off your computer or mobile device
Sign out of your other social networking accounts
Change your password
Lesson 3: Learning Assessment
Feedback
Correct/Incorrect If you are hacked, you need to change your password immediately. If the hacker has already changed the password, steps should be taken to remedy the lockdown of your account via the website controller. Contact the Information Security Team if you are concerned about a leak of any firm or client information. Bottom line: Threats and risks are constantly changing. If you are concerned that an information security breach has taken place, it's always better to be safe than sorry.
Lesson 3: Learning Assessment
Question 5
How can you protect your mobile devices when away from the office?
Never leave them unattended
Use a security cable or physical lock
Check to make sure no one is looking or listening to your work
Set up a secure password or PIN code
All of the above
Lesson 3: Learning Assessment
Feedback
Correct/Incorrect Remember: Information security is not always about the technology! Taking proper care of your mobile device is half the battle. Make it a habit to use mobile devices safely and securely and you will significantly reduce the risks of remote working. Think about it: If you were carrying a case of diamonds to a meeting, would you put it on the overhead rack of the train? Certainly not! You would hold the case and ensure that no unauthorised person touched it. Treat your laptop, mobile phone and other devices the same way.
Lesson 3: Learning Assessment
Learning Assessment score
Well done! Click the 'next' arrow to continue to Lesson 4 and complete the course.
Lesson 4: Conclusion
Lesson 4: Conclusion
Be aware of risks
Before we conclude, let's review a few final points:
Permanent staff, clients and visitors who have access to data and information can compromise that information by design or by accident.
All of our information must be actively protected against viruses, malware, hackers and other cyber criminals.
Lesson 4: Conclusion
Firm procedures
Our firm has an information security policy that sets out appropriate procedures based on key areas of risk. It is important that you understand it thoroughly. If you have any questions or require any clarification on any part of our firm’s procedures, contact the appropriate person in our firm for guidance.
Lesson 4: Conclusion
Conclusion
We live and work in an era of rapidly evolving technology. We hope that this course has helped you learn how to correctly use that new technology to work effectively, efficiently and safely.
Remember: Every staff member has a responsibility to be active in preventing information security breaches. If you identify a gap or vulnerability in our firm's security policy, it is your duty to report it. Thank you for completing this course.