The Importance of Information Security Awareness for Personnel
Social Engineering is a method or way to obtain information or make victims do what social engineering doers want by utilizing a person’s beliefs or psychology. Broadly speaking, this method utilizes the security system that is the most vulnerable to attack, the human itself, this is also called Human Hacking.
The method used:
The first is to ask directly what the attacker wants, things can be asked for a password, configuration of a system or the key to a data.
The second is to create a false condition that involves the victim in it, this method uses more work because it has to collect victim information so that victims can easily trust the perpetrators
For example, we act as travel agents who ask about the identity of the victim and use that identity for personal gain. Lately, a method that is often used via e-mail, SMS, or telephone directly.
There are several techniques that are popularly used by perpetrators:
- Techie Talk, the perpetrator is very proficient in language or speaking like an expert in a particular field so that the victim can be easily influenced by the speaker’s offense.
- Whaling Attack, which is the perpetrator taking victim data using victim information displayed on his social media.
- Neuro Linguistic Programming, which is the perpetrator paying attention to gesture, intonation, touch in establishing communication with the victim so that the victim feels safe and will subconsciously feel comfortable with the offender.
- Vishing Attack (Voice Phishing Attack)
It is a deceptive technique using the telephone as its main means as an example the perpetrator can pretend to be a bank employee and say that the victim’s account has made a mistake and needs to be updated with this the victim is likely to give out his identity and even his ATM PIN.
This is important for information security for personnel because humans are the most easily manipulated system so that by knowing more about the ways of Social Engineering we can be more careful in conveying information especially regarding personal data.
Designing Security Awareness Training and Program
Information security sometimes occurs when a failure of a perfectly designed information security program is indicated by attacks on information security with high frequency. This is because most programs are only designed to provide documents on how the program is run to the employee concerned, which makes the problem is the laziness of employees to read documents or manuals to run the program.
A program that can be said to be “perfect” even means nothing if there is a lack of awareness from employees or users to safeguard the rights and obligations of protecting a company’s information assets. The first thing to do is to introduce the program visually or directly like a seminar. The next thing is to test services such as risk analysis, policies, procedures, standards, security assessment, and relationships with business to determine how each service supports business. Next is to organize an understanding learning program regarding information security. The understanding learning program in question is:
- Awareness or understanding, this is used to encourage and motivate employees towards what must be done in connection with securing information.
- Training or training, exchanging capabilities in the implementation of procedures and use of programs related to information security and positioning employees in a condition that requires employees to use these procedures and tools for information security.
- Education or education, which is a deeper learning process to support a company’s information security
This can improve information security because employees will better understand how valuable information is, so as to reduce the risk of information leaking. But on the other hand employees will find out important information and steal the information to be sold to rival companies.
Basic Principles of Professional Ethics
There are a number of basic principles that form the basis of implementing a professional code of ethics. The principles of professional ethics are as follows:
- Principle of Responsibility
Every professional must be responsible for the implementation of a job and also for the results. In addition, the professional also has the responsibility for the impact that may occur from his profession for the lives of others or the general public. Related to what he did with the impact of it.
- Principle of Justice
Professionals are required to be able to promote justice in carrying out their work. In this case, justice must be given to anyone who has the right. Justice is one of the foundations that professionals must uphold.
- Principle of Autonomy
Every professional has the authority and freedom to carry out work in accordance with his profession. That is, a professional has the right to do or not do something taking into account the professional code of ethics.
- Principles of Moral Integrity
Moral integrity is the quality of honesty and moral principles in a person that is carried out consistently in carrying out his profession. That is, a professional must have a personal commitment to safeguard the interests of his profession, himself, and society. Personality is the key in this principle.
Employment Screening is an active step taken by a company towards the possibility of risk arising from recruiting the wrong or incorrect candidates, this can use the interview method and detect in advance the parts of the company that are vulnerable to risk, especially those directly related to the position where the prospective employee will be placed. Another principle is to reduce risks that can endanger the company in terms of financial, legality, and reputation.
The step that must be taken for the Screening process is to ensure that the data owned by prospective employees is valid and complete, this can be done directly, for example, face to face or interviews or indirectly, such as by e-mail or telephone. Examples of data that must be owned by prospective employees are Curriculum Vitae (CV), Application Form, personal identity, background, criminal record, social activities and other supporting files. The employement screening process can also be carried out not only when accepting employees but when the employee is carried out Job Rotation or promotion.
In Employment Screening, fraud often occurs, such as excessive salary claims, unclear job descriptions, changing working hours, false references, and cheating on educational degrees. This can be revealed by verifying the candidate’s claims regarding his previous work, verifying claims related to his education, and checking online as on the candidate’s social media.
So Employment Screening is important for the security of personnel information because by using this step we can find out how the situation of an employee will be accepted so that we can guarantee the security of information of a company is maintained.
Job Rotation is a way carried out by a company so that its employees do not feel bored and monotonous when working by alternating work positions within a predetermined period of time. In this case, job rotation is determined by each company or agency in the form of workplace changes, work partners or even promotions. This is good for employees who are just starting a career because with this method employees can plan a clear career and a clear development plan. On the other hand this method is also to prevent employees from finding loopholes to commit fraud or improper actions that can harm the company.
Employee Termination Process
Employee Termination Process or Termination of cooperation contracts with employees, this step must be done because many considerations include unsatisfactory employee performance, employees who are considered to be detrimental to the company, and other problems. This needs to be considered because by breaking the contract it means that there is a lack of human resources, so this step must be taken into account. However, this step is a concrete step to prevent discrepancies in the company, for example, the employee starts to access documents that are not in his authority without directives from his superiors. This should be suspected because of the possibility of data theft on the document, with a lot of known data increasingly threatened by a company. With this termination of employment contracts is the right step to maintain the integrity of the company both in terms of financial and data information.