Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Mitigating Leakage of Organizational Information in the Hyper-Connected Era:
From the Perspectives of Managers and Employees
Dr. Nurul Nuha Abdul Molok, Ph.D., LA27001, CCDAHead
Dept. of Information SystemsFaculty of Information & Communication Technology (ICT)
International Islamic University Malaysia
Research Symposium21 November 2019
Outline
From the News
Information leakage cases
Insider threats
Inadvertent information leakage
Organizational information to be protected
Mitigating inadvertent information leakage
From the News
What would happen when 5G comes?
Information Leakage
• “a breach of the confidentiality of information, typically originating from staff inside an organisation and usually resulting in internal information being disclosed into the public domain” (ISF, 2007, p.2) across organisational boundaries
• May be intentional and unintentional
• May be malicious and non-malicious (but inappropriate)
Impacts of Leakage
• loss of competitive advantage, reputation and revenue
•penalties from breaches of confidentiality agreements
•malicious hackers will identify pathways into organizations
Our Research Findings:What do employees disclose on social media?
•Communicating with colleagues• Generally, participants communicated with
colleagues about meetings, tasks, celebrations, commiserations and frustrations.
• Employees posted about frustrations at work typically expressing their dissatisfactions with the boss, colleagues, workloads and clients
Our Research Findings:What do employees disclose on social media
• Types of organizational information disclosed on Facebook• Information about the organization
• Information about bosses and supervisors
• Information about colleagues
• Information about job description, meetings or tasks
• Information about company events
• Information about clients
• Information about other stakeholders
Our Research Findings:Feedback from the industry
• Risky OSN Behaviour• Posting information that
might be sensitive to the organization
• Having a social media profile that is not protected
• Accepting friends’ requests from unknown people
• Playing games and using third party applications
• Clicking external links
• Security Impacts• Information or intelligence
gathering
• Reputational risk
• Malware distribution
• Identity theft
• Network performance issue
• Employees’ productivity level
Garden of Knowledge and Virtue
Strategies to mitigate information leakage
Garden of Knowledge and Virtue
ICT Security Policies
• Information security policy (ISP)• clear classification of confidential and sensitive information
• Acceptable use policy of the Internet and social media• aligned with business processes and job requirement
• Must be designed, implemented, enforced and reviewed to ensure effectiveness (ISO/IEC, 2013)
• Communicated with and understood by employees
• Requires employees’ deep understanding and beliefs about the severity of security breaches
Garden of Knowledge and Virtue
Security Education, Training & Awareness
• Improves employee security behaviour by:
• (1) building in-depth knowledge to design, implement, or operate information security programs for organisations and systems through security education for employees with information security responsibilities;
• (2) developing employees’ skills to perform their jobs while using IS more securely through security training, and
• (3) improving employees’ awareness to protect IS resources against risks through security awareness programs.• Tailored awareness programs in accordance to management levels
Garden of Knowledge and Virtue
Technical Controls
• Data leakage/loss prevention/protection (DLP) systems • as the control mechanism for
unintentional information leakage among employees that may happen through any leakage platforms including email and social media
• Web filtering systems
• Unified Threat Management (UTM) • all-in-one security appliances include
firewall, IDS/IPS, DLP, antivirus, VPN capabilities, antispam, malicious web traffic filtering, antispyware, content filtering, traffic shaping
Our Research Findings: Mitigating inadvertent information leakage
• The strategy was influenced by• Management’s perception of security impacts of employees’
behaviour• The security managers’ perception of the security issue had a huge
impact on what security strategy they chose
• Management’s commitment to security initiatives• Assignment of security responsibility• Employees’ behaviour
• Maturity framework to mitigate sensitive information leakage through social media
Garden of Knowledge and Virtue