Human Beings, the Biggest Threat to Information Security

Human beings have evolved from a primitive to a highly sophisticated natural grouping. Humans have attempted and continue to study everything that exists under the sun and the sun as well. This is all in a bid to get more information to better their lives, improve their businesses, gain superiority over everything else, become prosperous and control the Universe. As such, the need for information and information about this information has become increasingly vital as the years go by.

Information, as human beings developed, was transmitted through telling stories, songs, drama and then written text. Today information of all types is stored and transmitted in digital format. The need for this knowledge / Information is not only for business growth, academic prowess, but critical for the survival of the human race and its environment. Information about, among other things, climate change, planets that surround the earth and micro-organisms that cause disease is vital for the survival of humans today and tomorrow.

It is said that the more information one (Individual/Government/ Institution) is in possession of, the more powerful they are in Governance, Trade, Medicine, Manufacturing and, Military among others. A counter argument is that information in the hands of an individual or Government or Institution that does not need it might lead to a catastrophe. Protection and investment in the protection of Information systems therefore is very important. The protection of information systems is to ensure that information transmission systems are not tampered with, that information in storage or transmission is not tampered with, that information in storage and/or transmission is only accessible to authorized individuals that processes involved in the generation of information are not tampered with and are in custody of only authorized people. Information, technology and the processes for the generation, storage and transmission of information are created and controlled by and to the benefit of human beings. Ironically, the compromise of these systems is majorly by and ultimately to the benefit of human beings as well. The human being therefore is at the center of strong or weak security in any environment.

Key Information bleaches of recent times include fraud and theft of money or financial assets from banks and other financial institutions world over. In Uganda, particularly, over 18[1] billion shillings has been lost due to compromise of information systems in 2013 alone, and this is only a figure known to the authorities.  On many occasions, in Uganda, key gov’t information has been leaked. The leaked information is in inform of confidential memos or e-mails and recorded conversations between high profile government officials in key gov’t sanctioned operations. It has been observed in the SIM Card and National ID Registration exercises in Uganda that people, especially in urban centers, provide wrong data (Name, Residence, Date of Birth, Place of birth etc.) to the authorities, and this can only be for the wrong reasons. The damage caused by information security bleaches therefore is of a huge magnitude and extends beyond financial loses to Reputational Damage, Loss of Trade Secrets and Intellectual Property, Loss of Industrial Designs and the worst of them all, Loss of Life. Imagine the effect of a legendary Coca-Cola formula leaking to the press!

On the international scale, Julian Asange started an online NGO- Wikileaks that sells Government secret information to willing buyers, Edward Joseph "Ed" Snowden an American computer professional, a former system administrator for the Central Intelligence Agency (CIA) and a counterintelligence trainer at the Defense Intelligence Agency (DIA) has been in the news for leaking key classified USA gov’t information to the world. In the recent past, the Republic of China and the USA have been engaged in countless counter accusations of trying to or actually hacking each other’s systems to gain access to key government information. These incidents and more have caused diplomatic uproar and mistrust among the people on how their governments conduct business. Millions of Dollars have inevitably been spent in trying to fight back and recover from any damage these attempted or/and successful leaks have caused. These are just few of the incidents and clearly, all these efforts are initiated by human beings.

Amidst all this, Information security efforts continue to evolve overtime in sophistication and purpose. Information Security can be achieved through a combination of Physical, Logical and administrative techniques to secure information assets. The sophistication of the technologies and processes to secure Information assets allude to the importance of information to the human race and also to the fact that compromise of information assets is on the increase and equally, in a more sophisticated manner.

There is one Key Player that has made the need for information and to protect this information so VITAL, HUMAN BEINGS.

The human beings that might compromise information systems include employees who turn out to be disgruntled, Employees who collude (In an environment where separation of duties is implemented) to beat systems, Manufacturers (Hardware and software) who install malware and back-doors in the products they sell, Governments who want to spy on others for political/diplomatic interests, among others.  Ignorance of information security by Human beings is also a great resource for insecurity.  Social Engineering techniques like Phishing, sharing passwords (voluntarily or writing it on a sticky Note on your desk etc) and giving strangers access to information systems without due process are some of the ways information systems can be compromised. And these techniques are not new they are as old as the Human Race itself and have become handy in the hi-tech era. This means therefore that ultimately, with the Human Beings Involvement in information systems management, with the right tools, resources and time, any system can be compromised.

However, all hope should not be lost, Societies, Companies, Governments and Institutions can achieve an acceptable level of security if human beings are managed better. There is need to invest more in management of Human Resources. Management of Employees, Clients, Competitors, Consumers and Shareholders among others is as vital or even as/more vital as/than installing the most expensive security system for your organisation. A well-managed human resource will more likely manage the technology and other resources better.

“Don't compromise yourself. You're all you've got.”  Says Janis Joplin. Techniques like continuous human resource development programs, continuous screening of the employees (People change according to circumstances and therefore are largely unpredictable), investing in maintaining a stable state of being (Psychological and Social) for employees, and also applying basic principles of information security (Risk Management, Disaster Recovery, Business Continuity, Good Information Security Governance Practices among others) will help a great deal to reduce the exposure to an acceptable level. In summary, there can be enough security but only if there is keen interest in the Human Factor in Information security!

In Uganda, there are a number of companies that can be able to provide advisory/consultancy and technical services to help institutions and the Government nurture an information security culture and help initiate and manage information, information security and information security processes and DERIVE VALUR from the investment in information systems.

The writer is an Information Security Practitioner at iFrontiers (U) Ltd (www.ifrontiers.net).

---

[1] Ag. Commissioner Electronic Counter Measure, ‘Current IT fraud Situation Trends and Challenges; Perspectives from the Uganda Police Force’ East African Information Security Conference, Hotel Africana, 20^th -21^st August 2014