Maksim Kabakou - Fotolia

Security Think Tank: Security is a shared responsibility

What are the best types of security controls organisations should be using to ensure a safe working environment for employees?

Security is everyone’s responsibility; it is also every organisation’s responsibility. A joint effort between the people using an organisation’s systems and information, and the organisation itself, is required.

There are a host of process and technology controls that an organisation can deploy to defend its systems and information that support people.

However, people, process and technology must all work in harmony to provide as secure an environment as possible. Deploying fewer than all three elements will compromise security.

Technology controls include email filtering on both inbound and outbound mail. Inbound filtering can scan for attachments containing malicious code, prohibited words, and so on, whereas outbound email filtering could be used to prevent the leakage of sensitive information, inadvertently or otherwise.

Email classification marks messages with highly visible classifications, such as “Classification: public” or “Classification: internal only”, helping people modify their behaviour accordingly.

Mail servers can be configured to prevent the accidental disclosure of email and attachments to unauthorised individuals. This can include enforcing encryption between email servers, preventing users from configuring the auto-forward feature and restricting the use of large distribution lists.

Process controls include good password management, such as imposing password changes every one to three months to help prevent unauthorised logins.

Shadow IT, although often viewed as a technology issue, is important from both people and process perspectives.

Read more from Computer Weekly’s Security Think Tank about security controls

Unapproved applications and platforms have often been introduced into the organisation by people who have not considered how their use will affect information security. Organisations can introduce formal processes to prevent unauthorised use of software and services.

Individuals cannot be absolved of their responsibility for security, and organisations should continue to develop education and awareness programmes to embed secure behaviours in people.

The triumvirate of people, process and technology is essential to provide the best possible protection for the organisation. ... ..  ... ... .. ... ... ... ... ..  ... ...

Read more on Hackers and cybercrime prevention