Information Security

8記事
blog

Information security measures are essential for teleworkers! From Advantages to Examples of Countermeasures

With the impact of the spread of the new coronavirus in 2020, telework and remote work have become not uncommon ways of working. Many companies may not have introduced telework at this time, but may be considering whether to do so in the future. Information security measures are essential for companies to introduce telework. In order to prevent problems from occurring in your company, make sure you have security measures in place. This article explains why information security measures are necessary for telework. It also introduces the advantages of introducing telework and specific examples of security measures, so if you are considering introducing telework, please be sure to read to the end. Necessity and possible risks of information security measures in telework While an increasing number of companies are introducing telework, many are finding it a challenge to ensure security. According to a survey by the Ministry of Internal Affairs and Communications, 47.6% of companies responding to the survey said that ensuring security was an issue when introducing telework. Source: "Secondary Fact-Finding Survey on Telework Security," Ministry of Internal Affairs and Communications Neglecting security measures when implementing telework can lead to a variety of risks. In order to prevent losses to your company, it is important to understand the possible risks. There are four typical risks. Loss or theft of the device In many cases, employees are lent laptop computers when teleworking. When working at home, there is little concern about loss or theft of terminals, but when working in coworking spaces, etc., one must be careful about loss or theft of terminals. If personal customer information is stored on the device, loss or theft can lead to major problems. Information Leakage When working at home or in a coworking space, you will be using a different Internet connection than in the office. Since the strength of security varies from line to line, there is a risk of information leaks if you use an Internet connection with a weak security level. Infection with malware Terminals provided in offices are generally equipped with antivirus software. However, it is not uncommon for employees' personal terminals to not have antivirus software installed. As a result, the risk of infection with malicious viruses and other malware increases. Communication interception and wiretapping Be especially careful when using public Wi-Fi in cafes and other places. Because free Wi-Fi is available to anyone, there is a risk that your communications may be intercepted. In some cases, it may even be eavesdropped on, so it is important to be very careful when using free Wi-Fi. Back to Table of Contents Teleworking Has Benefits When Information Security Measures Are Implemented! Although teleworking has security risks, it also has benefits for both employees and companies. Specific benefits are listed below. Reduction in commuting time Commuting time is one of the most stressful experiences for employees. Riding crowded trains can be especially stressful. If teleworking can be introduced, employees will no longer have to commute and will be able to use their free time more effectively. This will also improve work efficiency. Prevention of employee turnover If you can create an environment that allows employees to work from anywhere, you will be able to hire a wider range of human resources, such as those in rural areas. In addition, there are cases where employees leave the workforce due to difficulties in commuting for reasons such as childcare or nursing care. If such employees can work via telework, it is possible to prevent them from leaving the company. Other benefits include cost savings through reduced office space and transportation costs. Back to Table of Contents Examples of Information Security Measures for Telework When implementing telework, it is essential for companies to take measures. Here are seven specific measures. Establishment of security guidelines One method is to formulate security guidelines to determine what the company wants its employees to be aware of. It is important to clearly state what employees should be aware of (basic policy) in their work, and to inform employees of this policy. Security guidelines are not the end of the process once established, but should be updated according to the times. Introduction of security software While clear statements in guidelines are effective, one way is to introduce software that can be expected to be effective as a security measure. If a terminal becomes infected with a virus, it can cause significant losses to the company. To prevent the worst from happening, security software should be installed on the terminals used for business purposes. Thorough password management It is important to set passwords that are difficult to guess for passwords to be entered during work. Passwords such as birthdays, names, and consecutive numbers are easily guessed and may lead to unauthorized access. Therefore, it is recommended to set strong passwords with alphabets and symbols. Paperless Promotion While paper documents are easy to carry, they also have the disadvantage of being at high risk of theft or loss. If paper documents are stolen or lost while away from the office, it may lead to an irreversible situation. The key to eliminating the disadvantages of paper documents is to go paperless. Encryption of personal information If you handle a lot of personal information, encrypt the data itself. In companies that use cloud applications, it is possible that employees may access personal information through the application. Encrypting the data in advance will help protect against unauthorized access. Regular OS or app updates Update your OS or app as soon as possible, as update programs are provided on a daily basis. Update programs may include things such as vulnerability remediation. Failure to update your system will leave it in a high security risk state, so it is essential to take action as soon as possible. Security Education Among the various security measures available, security education is recommended to help people understand the need for security measures. The curriculum for security education will often be set to content tailored to those with low security literacy. After taking the time to inform employees about examples of information security incidents, etc., make them aware of the importance of security measures and aim to raise the level of security literacy in the entire organization. Back to Table of Contents SUMMARY In this article, we have shown why information security measures are essential for teleworkers, as well as examples of such measures. Although teleworking involves various risks related to security, it also has many advantages. To promote diverse work styles and create a comfortable work environment, consider introducing telework. When you want to inform your employees about information security, please use the information security training contents of "learningBOX ON". learningBOX ON is a service that makes it easy to add training contents that are essential for companies to learningBOX, which is an e-learning creation and management system. The service allows you to easily add the training content required by your company to learningBOX, an e-learning creation and management system. You can easily design your own original learning courses by combining the content with your own in-house content. We encourage you to use this service for your in-house training programs, as the contents of information security and compliance training courses are available free of charge. ▼Here's another recommendation! Also read Back to Table of Contents
blog

Five ways to plan information security education│What is the purpose and necessity?

Today, everyone involved in corporate operations handles some kind of confidential information, and information security education is becoming increasingly important. This is because even if hardware and software are in place, if each individual lacks security awareness, an external attack or human error could lead to a serious accident. In this issue, we will explain the necessity, purpose, and implementation method of information security training. We will also introduce contents and materials useful for implementing the training. Fundamentals of Information Security Education To protect companies from information security incidents caused by cyber attacks or mismanagement of information assets, it is important to conduct employee training to strengthen security awareness. First, we will inform you of the necessity, benefits, and purpose of information security education. Necessity and Benefits of Information Security Education Thorough information security education for employees will make it easier to prevent information leaks. This is because more than 60% of all information leaks are caused by human error, such as "lost or misplaced," "mishandling," "mismanagement," "setting," and "theft. It is also expected to reduce risks such as compensation for damages and loss of social credibility due to accidents. Reference] "Survey Report on Information Security Incidents in 2018" by Japan Network Security Association Back to Table of Contents Purpose and Role of Information Security Education Familiarize employees with the information security policy Information security policy is a policy for information security measures in a company or organization. It mainly describes action guidelines, plans and measures, as well as operational systems and regulations. To improve information security awareness within an organization, continuous efforts and mechanisms are necessary to ensure that all employees comply with the formulated policy. For example, penalties for non-compliance and damage to the organization should be indicated, tests to check the level of understanding should be conducted, and rules regarding the handling of personal information should be thoroughly enforced. Understand information security threats and countermeasures In information security training, it is also important to convey real-life examples to ensure that employees comply with the policies that have been developed. For example, it is effective to explain Internet threats and damages, basic measures such as anti-virus and vulnerability countermeasures, and preparedness in handling e-mails and tools. Back to Table of Contents How to Plan Information Security Education The following is a step-by-step explanation of how to implement information security education. Implement information security education in an appropriate cycle and use it to improve your company's literacy. Step 1: Establish the purpose of education and learning themes Clarifying the objectives at the beginning will make it easier to be consistent in efforts and effects. Extract and organize past incidents and issues related to information security within the company to help set objectives. In addition, from external examples, risks that have not occurred in the past but could occur in the future can be assumed. Once the objectives of information security education are set, determine the security knowledge and skills you want employees to acquire to solve the issues, and select learning themes in line with the knowledge and skills. Examples of learning topics include the following Risk of information leakage Confidentiality Types of Confidential Information Targeted Attack Email Threats and Response Measures Rules for using social networking services Importance of managing information terminals Security risks in the use of cloud services and public wireless LANs Latest cyber-attack tactics Password Management Step 2: Select the target audience for education Next, select the target audience according to the purpose of the education and the learning theme. Depending on the content of the training, the target may be determined with reference to the department, position/role, office location, etc. For example, the target audience may include regular employees of the sales department, outsourced employees involved in business operations, and regular employees of the Tokyo office. Regardless of employment status, such as temporary employees, contract employees, part-timers, and outsourced workers, all people involved in the business should be selected as the target group. Step 3: Determine the timing and frequency of training Next, determine the timing and frequency of information security training in order to incorporate it into the schedule. The timing may include when new or mid-career employees join the company, when a security incident occurs at the company or another company, or when internal rules are changed. The key point is to conduct it at a time when employees' interest in information security is growing. The frequency of implementation can be once a year, once a month, or once every half year or quarter. The frequency should be determined based on the importance of the content and the frequency of personnel changes, and should be held on a regular basis. Step 4: Select the form of education and prepare contents The next process is to consider the form of information security education. Group training, e-learning, and external seminars are commonly used. Select the appropriate method according to the content of the training, the cost, and the level of literacy of the participants. The most recommended method is e-learning. This is an Internet-based learning format in which learners access an online server with a computer or tablet and take the required courses. This method does not require gathering participants as in group training, and can be accessed from any location and at any time as long as there is an Internet environment, making it easy to use even for companies that have introduced remote work. Once the form of education is decided, we start preparing the content. Depending on the e-learning service, it may be possible to deliver not only existing content, but also a combination of materials created by the company itself. Step 5: Follow-up based on measurement of the effectiveness of the education After the information security training is conducted, measure the effectiveness of the training through confirmation tests and questionnaires. If there are any employees who have problems with information security awareness, feedback and follow-up should be provided. If you have prepared your own educational materials, it is also important to review the contents based on the effectiveness measurement. Back to Table of Contents Content and Materials for Information Security Education When conducting information security education, it is efficient to combine external content and materials in a form suitable for your company. Here we introduce content and materials that can be used for information security education. IPA "Information Security Measures Support Site This is a publicly available document by the Information-technology Promotion Agency, Japan (IPA), which is under the jurisdiction of the Ministry of Economy, Trade and Industry (METI), and is engaged in activities such as human resource development to strengthen competitiveness in the IT field in Japan. It introduces specific security measures according to the purpose and situation, such as web conferencing, teleworking, and long vacations, and is sometimes used as training materials or handouts. Reference] "Information Security Measures / Information-technology Promotion Agency, Japan (IPA) Ministry of Internal Affairs and Communications "Cyber Security Site for Citizens" (Japanese only) The Ministry of Internal Affairs and Communications (MIC) website provides content on cyber security measures in companies and organizations. The site features a curriculum divided by roles, such as executives, employees, and information management personnel, making it easy to use for implementing company-wide information security education. All content is available in downloadable PDF format, so it can be distributed as a resource after the training is conducted, helping to consolidate knowledge. Some of the courses are also available in video format, allowing users to repeatedly watch explanations provided by experts. Reference] "Cyber Security Site for Citizens" (Ministry of Internal Affairs and Communications) e-learning service learningBOX ON learningBOX ON" is a service that makes it easy to add essential corporate training content to "learningBOX," an e-learning creation and management system. The content of information security material is available free of charge, and it is also possible to deliver a combination of original material and existing content. Back to Table of Contents Promote Information Security Education to Make Your Company More Resilient to Cyber Risks In this issue, we explained the purpose of information security education and how to implement it. To reduce risks such as damage to the corporate image and compensation for damages caused by information security incidents, it is necessary to improve the security awareness of each and every employee. Implement information security education systematically to realize an organization that is resilient to cyber risks. We recommend learningBOX ON's information security training content to inform your employees about information security. Compliance training contents are also available free of charge, so please take advantage of them for your in-house training. ▼Here's another recommendation! Also read. Back to Table of Contents
blog

How to Prevent Internal Fraud

There is no end to the number of "internal frauds" in which personal information or information assets are leaked to outside parties by internal employees or contractors. In recent years, even unintentional negligence can be considered as internal fraud. Even employees who believe that they would never commit fraud may unintentionally engage in internal fraud. Therefore, companies should pay close attention to internal fraud and promote security awareness within the company on a daily basis. In this article, we will touch on the causes of internal fraud and explain specific countermeasure points. Managers and those in charge of human resources at companies are encouraged to refer to this article. What is internal fraud? Internal fraud is when a person within an organization or company takes, leaks, erases, or destroys confidential information or customer information within the company. Accidental leakage of information is also considered internal fraud. If an incident caused by information security fraud (security incident) is reported to the public, it can seriously damage a company's credibility. In this age of social networking and easy access to information, companies need effective measures to prevent internal fraud before it happens. In addition to information leaks, internal fraud also includes embezzlement of money, illegal overtime work, and nonpayment of wages. Back to Table of Contents Background of Attention to Countermeasures Against Internal Fraud With the enforcement of the revised Personal Information Protection Law in April 2022, companies are now obligated to report information leaks, whereas previously it was an obligation to make an effort. Next, let's look at the specific background of the attention being paid to internal fraud countermeasures. Internal fraud is perceived as a threat. The fact that society perceives internal fraud as a threat is a major reason for the attention: according to the Information-Technology Promotion Agency (IPA)'s "10 Major Threats to Information Security 2020," "information leakage due to internal fraud" was ranked second in the organization category. Because of the threat it poses, even when internal fraud is discovered within a company, it is often not disclosed for fear of being reported to the public. Unclear security measures taken by outsourcing partners Next is the lack of transparency in security measures taken by outsourcing partners. In the past, the following cases have occurred as a result of outsourcing work to contractors who neglected to manage information. A contractor re-consigned the work to another business, resulting in the leakage of personal number information. E-mail addresses of corporations registered for related services were leaked due to an erroneous transmission of an information e-mail. A USB memory stick containing residents' personal information was taken out of the company's premises without permission and later found to be missing If a company that underestimates information security or does not obtain third-party certification is outsourced, internal fraud such as this could occur. Also, overseas contractors may not have a full grasp of internal fraud due to differences in culture, values, and security budgets. In the 2015 Vormetric insider threat report by Vormetric, the industry leader in data security solutions, approximately 89% of overseas respondents said their companies were vulnerable to internal fraud. Outsourcing operations to third parties is an effective management strategy, but companies must ensure that security controls (outsourced vendor management) are in place. Back to Table of Contents Types of Internal Fraud Internal fraud is not limited to information leaks and leaks. The following are also punishable as internal fraud Embezzlement in the course of business Professional embezzlement is the act of embezzling from another person's property that is in one's possession in the course of one's duties. Specific means of embezzlement include the following disbursement of expenses Theft of equipment Unauthorized money transfers Personal use of company credit cards/miles, etc. In addition to internal fraud by individuals, it can also be committed by the entire organization, including upper management and outside firms. Regardless of the amount, embezzlement of money is an act that directly damages a company's economic assets. Harassment Harassment is harassment that makes another person feel uncomfortable by words or actions that do not conform to his or her wishes. Specific examples of harassment include the following Power harassment sexual harassment Maternity Harassment workplace bullying Alcohol harassment, etc. Perpetrators of harassment often take advantage of hierarchical relationships and differences in position. Harassment is characterized by a blow to human resources, forcing the harassed employee to take a leave of absence or resign. Violation of the Labor Standards Law Violation of the Labor Standards Law, such as failure to pay overtime and wages, is another form of internal corporate malfeasance. Violations not only damage the reputation of the company, but may also result in claims for damages from employees. If a company refuses to submit to an on-site inspection by a labor standards inspector and submit a corrective action report, it may be referred to a documentary investigation. Back to Table of Contents Three Factors that Lead to Internal Fraud We have mentioned various types of internal fraud, but in recent years, information leaks have become a particular problem. The spread of telework and social networking has had a major impact. Corporate information leaks are caused by the following three factors (1) Technical factors The first is technical factors. If internal information security is weak, passwords can be leaked. Unauthorized employees may be able to access information, increasing the risk of internal fraud. In addition, some companies do not record history in their operation logs. If a system is used that does not track who accessed information, it will be difficult to detect and trace the route of internal fraud, and it will take time to investigate. (2) Human factors (intentional) According to the IPA (Information-technology Promotion Agency, Japan)'s "Survey of Incidents of Fraud by Insiders in Organizations," the motivational and pressure factors for internal fraud include "receiving a dismissal that is considered unfair" and "being dissatisfied with salary and bonuses. It can be said that intentional information leaks tend to occur in companies with dissatisfied employees. (iii) Human factors (human error) The third factor is human error. This includes mishandling of information, loss of files or USBs, etc. The background of human error may be a lack of knowledge or experience of the person involved, or undertaking work that exceeds the capacity of the company. Back to Table of Contents Specific Information Leakage Countermeasures What measures can companies take to prevent internal fraud? In this section, we will look at a variety of specific countermeasures. Strengthening Internal Surveillance To prevent information leaks from your company, strengthen surveillance. Specifically, the following security enhancements are available Control of entry/exit records Management of terminal take-out records Transmission of security alerts Access log management and monitoring Detection of unauthorized access, etc. When strengthening internal monitoring, it is important to establish mutual monitoring rules and distribute authority so that authority is not biased toward specific employees. Strengthening internal monitoring not only prevents employee fraud, but also reduces the burden on the system administrator. Using the Internal Fraud Checklist It is also effective to create a checklist to ensure that critical information is managed and operated correctly and that employees are properly trained. If it is difficult to create such a checklist in-house, you may download an externally provided checklist published in the IPA's "Guidelines for Preventing Internal Fraud in Organizations" or other sources. By actually listing and checking the checklist, you will be able to conduct a survey of the actual situation and identify areas where your company's security needs to be strengthened. Reduce the burden on employees Consider reducing the burden on employees. The busier the site, the less time you will have to train your employees on information security due to a lack of manpower. Rather than conducting large-scale security training several times a year, it may be more effective to provide an environment where employees can take courses on a regular basis in a short period of time. Micro-learning and e-learning programs can be introduced to raise employees' security awareness in a short period of time. Back to Table of Contents SUMMARY In this issue, we have explained internal fraud. Today, internal fraud has become an urgent issue, and companies must take measures such as thorough employee security training. To raise awareness of information security within your company, please use the information security training content of "learningBOX ON". learningBOX ON is a service that allows companies to easily add essential training content to learningBOX, an e-learning creation and management system. The service allows you to easily add the training content required by your company to learningBOX, an e-learning creation and management system. By combining this service with your own in-house content, you can easily design your own original learning courses. Content for information security training and compliance training is available free of charge, so we encourage you to use this service for your in-house training. ▼Here's another recommendation! Also read. Back to Table of Contents
blog

Handling Confidential Information at Workplace

Corporate activities involve handling a wide range of information about the company's customers and business partners. Many of the data and documents used in business operations contain confidential or sensitive information. Highly confidential information must be handled with care because its leakage outside the company could lead to serious accidents. This article explains such "confidential information" and "sensitive information. The difference between the two and measures against information leaks will also be explained. Difference between confidential and sensitive information In the business world, the two words "confidential information" and "sensitive information" are sometimes used to mean the same thing. Both words have no clear definition and are easily confused, but strictly speaking, they have different meanings. First, we will explain the difference between confidential information and sensitive information. Meaning of Confidential Information and Confidential Information Confidential information is information that is subject to confidentiality when entering into a nondisclosure agreement (NDA). Which information falls under the category of confidential information is agreed upon between the parties to the agreement. The scope of confidential information also depends on the content of the concluded agreement. Confidential information, on the other hand, is any information that is important to a company or national organization. Among them, confidential information in a company is also called "trade secret" or "company internal secret," and must be handled with care. Like confidential information, it must be kept from leaking outside the company. Types and Examples of Confidential and Secret Information Although confidential and sensitive information have different meanings, the information that may be covered is the same. There are five main types of information that can be covered: management information, financial and accounting information, R&D and technical information, personnel information, and marketing and public relations information. <Types and Examples of Confidential and Sensitive Information Type of information  Specific examples of applicable information Management information  Business plans, inventory information, M&A information, etc. Financial and accounting information  Budget and sales information, financing information, joint venture plans, etc. R&D and technical information  Design drawings, research reports, project specifications, etc. Personnel information  Salary information, promotion information, transfer information, etc. Marketing and public relations information  Sales history, sales promotion information, customer information, business partner information, etc. As a typical example, personal information about customers and employees is considered to be included in confidential and sensitive information. In general, personal information includes data such as name, age, address, and gender, as well as the person's purchase history and website browsing history. Synonyms with similar meaning to Confidential and Secret Information Difference between Confidential and Confidential Information and Trade Secret Confidential information and confidential information do not have clear definitions, whereas "trade secrets" are legally defined. The explanation is contained in Article 2, Paragraph 6 of the Unfair Competition Prevention Law. In this law, "trade secret" means a production method, sales method, or other technical or business information useful for business activities that is maintained as a secret and is not publicly known. Source: "Unfair Competition Prevention Act (Act No. 47 of 1993)" e-Gov Legal Search There are three requirements for a trade secret as defined in the Unfair Competition Prevention Act: first, "confidentiality," which corresponds to the part "managed as a secret"; second, "usefulness," which corresponds to the part "useful business or technical information;" and third, "utility," which corresponds to the part "not openly known. The third is "not publicly known. However, information about anti-social activities such as tax evasion, information published as patents, and information described in publications do not fall under the category of trade secrets. Reference] "Handbook for Protection of Confidential Information: Toward Enhancing Corporate Value" (Ministry of Economy, Trade and Industry) Difference between Confidential Information, Confidential Information and External Confidential Information Confidential information is confidential information that could cause losses if leaked outside the company. Information can be shared with people inside the company, but not with people outside the company, such as business partners or consumers. Examples include confidential documents such as meeting minutes and work rules. Confidential information is classified according to its level of importance, and is classified as "Top Secret," "Secret," or "Outside Confidential" in descending order of confidentiality. Certain information classified as "Top Secret" or "Secret" is considered to be more vulnerable to loss due to leakage than confidential information outside the company, and can only be accessed by a limited number of people within the company. Unlike confidential information, confidential information is not subject to a nondisclosure agreement. In addition, confidential information can be shared within the company, but confidential information may not be shared even within the company, depending on its importance. Difference between Confidential Information, Confidential Information and Sensitive Information Sensitive information, also called "sensitive information," refers to personal information that requires careful handling. Leakage of such information may expose individuals to social risks such as discrimination or cause psychological damage. Examples of sensitive information include information about an individual's political views, religious beliefs, race or ethnicity, and place of birth or legal domicile. Careful handling of information is necessary to protect personal privacy. Sensitive information differs from confidential information in that it is not subject to a confidentiality agreement. In addition, confidential information is information about companies and government agencies, whereas sensitive information is information about individuals. Back to Table of Contents Risk of Leaking Confidential and Sensitive Information What risks are posed to a company if confidential and sensitive information is leaked? This section explains the risks posed by information leakage incidents. Risk of losing credibility and trust from society The discovery and spread of an information leak is a major problem that could lower the trust of customers, business partners, and society. If a breach or accident triggers distortion of information or false rumors through comments made by a third party on a social networking service, there is a concern that the company will be exposed to reputational damage. If the company loses credibility and trust from society in this way, it could be a serious crisis that could affect the survival of the company. Claims for damages may arise. In the unlikely event that a company's information leakage causes some kind of loss to the victim, the company may be sued for compensation for damages. In Japan, there have been cases of large-scale personal information leaks in the past, in which companies have compensated their customers for damages. The more sensitive the information is, the more serious the damage may be. Back to Table of Contents How to Prevent the Leakage of Confidential and Secret Information To prevent information leakage incidents, it is important to strictly adhere to company rules on a daily basis and maintain a secure IT environment. Finally, we would like to share with you some points to prevent leaks of confidential and sensitive information. Restrict and prevent bringing in and taking out recording media In principle, prohibit the bringing in and use of media capable of storing confidential and sensitive information within the company. For example, carrying data on USB memory sticks or external hard disks carries the risk of loss or theft. Similarly, it is also undesirable for employees to use their personal media for business purposes. It is also important to stipulate and clearly state rules restricting the taking out of company computers and where they may be used. New management methods may be introduced to keep information assets safe, such as requiring employees to apply in advance when taking computers out of the office. With the spread of telework, there is an increasing need to more rigorously negotiate these rules. Install and update security software. Install security software on company computers and other terminals to protect your company's IT equipment and network from damage caused by viruses and unauthorized access. Terminals that already have security software downloaded should also support periodic updates. Keep your software up-to-date with updates and be prepared for new cybercrime tactics. Raise employee awareness of information security. In order to keep your company's confidential and sensitive information safe, it is important that each and every employee understands the basics of information security and handles information within the company appropriately. For systematic learning of information security, please consider implementing training programs. In this case, use an e-learning system that also has a learning management function so that you can check the proficiency level of your employees. Back to Table of Contents Confidential and Confidential Information: Keeping the Difference Between Confidential and Confidential Information and Taking Steps on Both Sides We have explained the difference between confidential information and sensitive information handled by companies. Confidential and sensitive information have different connotations, but the types of information they cover are common. Based on the precautions we have provided, strengthen your internal security measures and aim for safe operations. When you are making information security known within your company, please use the information security training contents of "learningBOX ON". learningBOX ON is a service that makes it easy to add training contents that are essential for companies to learningBOX, which is an e-learning creation and management system. The service allows you to easily add the training content required by your company to learningBOX, an e-learning creation and management system. You can easily design your own original learning courses by combining the content with your own in-house content. We encourage you to use this service for your in-house training programs, as the contents for information security training and compliance training are available free of charge. ▼Here's another recommendation! Also read. Back to Table of Contents
blog

What security measures do companies take? Introduction of Methods and Key Points

Information systems and Internet-based data management are now indispensable tools for companies. There is no doubt about its convenience, but let us remind ourselves that there is another aspect to it. Data management over the Internet is connected to the rest of the world and is therefore always open to attack from outside. A leak of information due to unauthorized access can damage a company's brand image and cause significant damage, so robust security measures are a major issue for companies. In this issue, we will introduce the methods and key points of security measures taken by companies. Let's take a look at your company's security measures once again. What are security measures? In the modern IT age, companies and organizations store a great deal of information on their systems, including important trade secrets and personal information of customers and employees. If these information is leaked or the data is corrupted, the company will suffer serious social damage, and in some cases, there is a possibility of declining business performance or even bankruptcy. Companies take a variety of security measures to protect their information resources. Back to Table of Contents Three Elements of Information Security Information security, a measure to prevent information leaks and data corruption, consists of three elements: confidentiality, integrity, and availability. Information security is sometimes referred to as "CIA," an acronym for these elements. Let's review each element in more detail. Confidentiality: only authorized persons have access to the information Completeness: the information is accurate and not tampered with or over- or under-performing Availability: access to the information when needed until it serves its purpose It is important to be aware of these three elements when handling important information. Back to Table of Contents Difference Between Information Security and Cyber Security In addition to information security, there is another type of security measure called cyber security. Cyber security is a way to deal with threats to information security. While information security focuses on how information is handled, cyber security focuses on how to counter so-called cyber attacks. The two are not entirely different, but rather the concept of cyber security is included in information security. Let's take a closer look at the following to see which cases actually pose a threat to information security. Back to Table of Contents Specific Examples of Security Damage Here are four examples of actual security damage. Example 1: Malware infection Malware is a general term for programs or software that can cause detriment to a user's device. Ransomware and Trojan horses are also a type of malware. When infected with malware, important information can be externally leaked or data can be destroyed, rewritten, or lost. Example 2: Information leakage and theft Information leaks occur not only due to malware infection, but also unintentionally due to changes in the work environment, such as telework. There are also cases where an individual employee takes a computer or data containing confidential information and it is stolen. Specific example (3) Unauthorized access Unauthorized access can result in the leakage of confidential information, service outages, and website tampering. Example 4: Equipment failure due to disasters, etc. Natural disasters such as typhoons, earthquakes, and lightning strikes can cause servers and electricity to become unavailable and information systems to shut down. Back to Table of Contents How Companies Take Security Measures So what are some of the actual security measures that companies take? Let's review countermeasures for each specific case. Countermeasure 1: Countermeasures against malware infection Security software is an effective way to prevent malware infection. Do not just install the software, but update it regularly to the latest version. Malware is constantly being created and becoming more sophisticated, so it is dangerous to keep old virus definition files. Countermeasure 2: Information Leakage and Theft In addition to using security software, it is important to raise employee awareness of security through training and other means. Set rules for taking documents and PCs out of the office, and establish certain restrictions on employees' handling of information. Countermeasure 3) Measures against unauthorized access Unauthorized access is caused by system vulnerabilities. To prevent unauthorized access, properly manage accounts and install encryption technology. Also, installing a firewall to block unauthorized access is an effective measure. Countermeasure (4): Measures against equipment failure due to disasters, etc. Natural disasters are unpredictable. It is necessary to take measures such as frequent backups and deployment of backup systems on a regular basis. Backup data should be stored in a separate location. Important documents should be stored in a safe to protect them from disasters. Back to Table of Contents What Information Security Measures Should SMEs Take First? Information security measures are not just for large companies. Small and medium-sized enterprises (SMEs) are also required to have solid security measures in place. However, it is not realistic for small and medium-sized enterprises (SMEs), which tend to lack budget and human resources, to take various information security measures as large enterprises do. So, where should they start? Below are three high-priority measures that can be implemented even with a limited budget. (1) Strengthen computer security Update your OS and other software frequently to keep it up-to-date. We also recommend installing security software. Security software for corporate use allows you to manage all of your company's terminals at once. We recommend this software because it can improve the security of company PCs by restricting the viewing of websites not related to business, restricting connections to external storage, and so on. (2) Thoroughly educate employees Security measures are meaningless unless they are followed by all employees. To achieve information security, it is essential to raise the awareness of each employee. Training is an effective way to ensure that employees are well informed about security. Thoroughly educate employees on measures to prevent information leaks, such as taking measures to prevent e-mail misdirection, setting easy passwords, not clicking on suspicious URLs, and using social networking services. 3) Measures for telework Telework has become widespread in recent years, but working outside the office entails risks such as information leaks and virus infection. First, establish company rules for handling and taking out data during telework. In addition to using anti-virus software on the terminals used during telework, be sure to use secure lines for network access. Make sure everyone is aware that using public Wi-Fi and other means of accessing the network may pose the risk of virus infection and information leaks. Back to Table of Contents SUMMARY In today's IT-oriented world, information systems and the Internet are essential for any company. While these systems offer great convenience, it is important to note that they also carry risks such as information leaks. If a system malfunction occurs and service is suspended, the company's image will be damaged and business performance may be affected. Information security covers a wide range of measures, including countermeasures against unauthorized access, malware, and natural disasters, but the first step is to thoroughly educate employees. Raise employees' awareness of information security and protect the company's information. To raise awareness of information security within your company, please use the information security training contents of "learningBOX ON". learningBOX ON is a service that makes it easy to add training contents that are essential for companies to learningBOX, an e-learning creation and management system. The service allows you to easily add the training content required by your company to learningBOX, an e-learning creation and management system. You can easily design your own original learning courses by combining the content with your own in-house content. We encourage you to use this service for your in-house training programs, as the contents of information security and compliance training courses are available free of charge. ▼Here's another recommendation! Also read Back to Table of Contents
blog

List of Risks of Information Leakage|Examples of Damage by Type and Suggested Countermeasures by Cause

In recent years, many companies have come to realize that the danger of information leaks lurks close at hand. This is because cybercrime techniques are becoming more sophisticated every year, and any company can be targeted. In addition, there are cases where information leaks occur due to human error within a company against the backdrop of insufficient employee training and other factors. This section describes the risks that such information leaks pose to companies, measures to prevent such leaks, and the response flow in the event of an outbreak. Let's review your company's information leakage countermeasures. List of risks posed by information leaks In recent years, more robust measures have become necessary to reduce the risk of information leaks. There have been many cases of serious information leaks that could not be handled by conventional security measures alone. One of the reasons for this is the spread of telework due to the spread of the new coronavirus infection, and the proliferation of mobile terminals, including smartphones and tablets for business use. According to a survey by the IPA (Information-technology Promotion Agency, Japan), "attacks targeting telework and other new-normal work styles" have been newly ranked among information security threats since 2021. First, here is a list of risks to be aware of. Reference] "10 Major Threats to Information Security 2021" (Information-technology Promotion Agency, Japan) <List of risks posed by information leaks Classification Risk Examples of actual events Primary risk Victims of identity theft and fraudulent use Unauthorized use of a customer's credit card Hijacking of corporate SNS accounts Spread of spoofed corporate emails Compensation for damages and criminal penalty ・ Imprisonment of up to 1 year or a fine of up to 500,000 yen for the perpetrator ・ Payment of 10,000 yen to all victims ・ Distribution of 500 yen golden tickets to all victims Web site is tampered with Unintended advertisements are displayed Automatic access to another site Malware infection of the viewer Secondary Risks Loss of public trust Termination of transactions with important customers Market share will decrease Negative publicity spread on social networking sites Lead to employee anxiety and distrust Increased resignations Workplace atmosphere deteriorates Become a victim of identity theft and fraudulent use Spoofing is the act of a third party pretending to be someone else on the Internet, leading to the misuse of personal information such as IDs, passwords, and e-mail addresses. There are concerns that emails impersonating a company may be spread, customer credit cards may be used fraudulently, and company social networking accounts may be hijacked. Damages and criminal penalties If a leak of personal information is discovered, you may be subject to a government order to take action or a fine. the revision of the Personal Information Protection Law, which went into effect in April 2022, has strengthened the measure order and the fine. Violation of a measure order carries a penalty of up to one year in prison or a fine of up to one million yen. In some cases, information leaks may also result in civil liability for damages. This is because information leaks constitute a tort that illegally infringes on the rights and interests of others. Furthermore, apart from damages, there have been cases in which companies have paid apology money in the form of golden certificates, electronic money, or points. Reference: "2020 Revised Personal Information Protection Law" (Ministry of Internal Affairs and Communications) Web site tampering There is a risk that a malicious third party will gain unauthorized access to a website by targeting its vulnerabilities and falsify its content without your knowledge. In addition to displaying advertisements that have nothing to do with the company's business, there are also methods that allow users to be redirected to fake sites or infected with malware, so caution is required. Damage to social credibility Leakage of information can damage the trust of business partners and customers, and cause a loss of social credibility and brand image; there are also concerns about reputational damage on social networking sites and a drop in stock prices. If an incident leads to the inevitable suspension of business activities or service operations, it could result in significant losses. Lead to employee anxiety and distrust Information leaks can also have a significant impact on the company. Employees may become anxious and distrustful of the company, and their motivation for work may easily decline. It is also important to note that employees are more likely to become overworked and stressed when dealing with outside parties after an accident, which may lead to an increase in the number of employees leaving the company. Back to Table of Contents Major Causes of Information Leakage and Examples of Risk Reduction Measures What are the main causes of corporate information leaks? Take measures for each cause to ensure thorough information management in your company. Major Causes of Information Leakage The causes of information leaks can be broadly classified into three main categories: leaks due to internal human error, intentional leaks from within, and leaks due to external attacks. In order to prevent information leaks, it is necessary to implement measures from multiple angles depending on the cause. . Classification Main cause Source Cause of Occurrence Internal Human error Lost or misplaced Careless conversations or social networking Mishandling of e-mails or systems Full-time employees Retirees Outsourcing Part-time workers, part-timers, etc. Contractors, etc. Carelessness Lack of knowledge, etc. Intentional Unauthorized removal Unauthorized manipulation Economic reasons Economic reasons, etc. External Malicious attacks Cyber attacks Malware infection Eavesdropping or theft Single or organized crime Single or organized criminals Domestic/international, etc. Examples of countermeasures against information leaks [by cause Human errors such as "lost and misplaced," "mishandling," "mismanagement," and "theft" account for more than 60% of the causes of information leaks. These are figures published in a 2018 survey by the Japan Network Security Association. [Reference] "Survey Report on Information Security Incidents in 2018" (Japan Network Security Association) These results indicate that there are relatively many information leaks that can be avoided depending on employees' knowledge and awareness of security information. Measures such as periodic training and the formulation of guidelines and rules are effective. The following table summarizes effective information security measures for each cause of human error. Please refer to it for reference. . Causes Examples of Countermeasures Administrative error Do not connect personal computers to the company network Shred paper documents without fail. Use different e-mail addresses for work and private use. Do not leave the office without locking the work computer. Mishandling Implement a system to prevent e-mail from being misdirected Implement a system to prevent e-mail from being misdirected Encrypt transmitted data Lost and misplaced, lost wiretaps, theft Do not leave luggage on train racks Do not take company information home Do not use USB memory sticks or other portable storage media Do not send out information related to work on social networking sites. Do not talk about work in public places such as elevators and pubs. Back to Table of Contents Response Flow to Limit Risk in the Event of an Information Leak If an information leakage incident occurs at your company, use the following flow to respond promptly. Finally, here is the response flow that should be confirmed in case of an emergency. Step 1: Confirmation of the actual situation and immediate reporting When signs of an information leakage or the impact of a leakage are confirmed, immediately report the situation to the person in charge. First, the person in charge will establish an internal system and the policy and details of the primary response. In doing so, please be careful not to inadvertently manipulate the equipment used so as not to erase any evidence that may provide clues to the cause of the problem. For example, do not delete emails or files related to the situation. Step 2: Initial response to prevent secondary damage Next, emergency measures are taken to prevent the spread of information leaks and secondary damage. In some cases, measures such as temporary suspension of services may be considered. In the case of personal information leaks, it is also necessary to contact the affected person and ask him/her to change his/her password or stop using the service. Step 3: Investigate the cause and disclose information After conducting fact-finding investigations to determine the cause of the information leak, accurate information is disclosed to the public. What is important is to disclose information with a high degree of certainty and evidence. Please be careful to avoid releasing information that may cause confusion, such as ambiguous information or speculation. Step 4: Reporting and publicizing to the relevant authorities In order for companies to fulfill their accountability for information leakage incidents, they must report the incident to the relevant authorities and make a public announcement. In addition to notifying suppliers and customers, it is also necessary to report the incident to regulatory authorities, the police, and the Information-technology Promotion Agency (IPA). The timing of public announcements should be established after considering whether there is any risk of damage escalation. Step 5: Consideration and implementation of measures to prevent recurrence After the initial response is completed and business activities and services are restored, we will work on measures to prevent recurrence. We will identify the issues based on the cause of the information leakage and implement countermeasures, as well as compensate damages to the victim and discipline the employee. Depending on the details of the public announcement of preventive measures, there is a risk that a third party may learn of the vulnerability, so the scope of the public announcement should be carefully considered. Reference】 "Collection of points to deal with information leaks" (Information-technology Promotion Agency, Japan) Back to Table of Contents Preparing for the Risk of Information Leakage We have introduced countermeasures to prepare for the risk of information leaks and a response flow to minimize damage. The majority of information leaks are caused by human error on the part of employees. Improving internal information security education is believed to be the key to reducing risk. Be prepared for any eventuality and focus on employee education. Please use the information security training contents of "learningBOX ON" to inform your employees about information security within your company. LearningBOX ON" is a service that makes it easy to add training content required by companies to learningBOX, an e-learning creation and management system. You can easily design your own original learning courses by combining them with your own in-house content. Content for information security training and compliance training, for example, is available free of charge, so please take advantage of this service for your in-house training. ▼Here's another recommendation! Also read. Back to Table of Contents
blog

How to conduct and choose e-learning for information security training

Information leaks by companies are often caused by a lack of employee literacy, and information security education is becoming increasingly important. When trying to establish knowledge through in-house training, we recommend the use of an e-learning system. This article provides examples of content for implementing information security training via e-learning and how to choose the right service. We also introduce services and materials that are useful for creating content. Types of e-learning content for information security training Information security training is generally provided through group training or e-learning. There are many learning areas in e-learning content for information security training, so select and prepare appropriate content in consideration of the purpose of the training and budget. Examples of Information Security e-Learning Content Security incidents, including personal information leaks, can occur regardless of the nature of the business. Factors that may cause such incidents range from loss of information assets to cyber attacks. Therefore, when conducting information security training, it is advisable to target all employees, regardless of contract type or position. The following is a list of examples of e-learning content for information security training. Understanding the Personal Information Protection Law and proper handling of personal information Rules and risks of using social networking services Compliance Targeted Attack Email Threats and Response Measures Importance of information asset and device management Recent examples of information security incidents ID and password management Importance of supply chain security Security Risks in Using Cloud Services Back to Table of Contents How to Select E-Learning Content for Information Security Training Various services offer e-learning for information security training. What criteria should be used to select the right one to use for employee training and to improve the security awareness of the entire company? Here, we explain the key points for selecting e-Learning for information security training. Is the learning area general-purpose or specialized? E-learning learning areas can be divided into "general-purpose" and "specialized" depending on the service offered. General-purpose The general-purpose type is characterized by offering a wide range of learning areas that are in high demand by companies. Content includes not only information security training, but also business manner training and harassment training. If you want to choose from a wide range of options according to the needs of the moment, the general-purpose type is recommended. Specialized type The specialized type is characterized by offering specialized content in a particular field of study. Therefore, the specialized type is recommended when you want to increase the quality and frequency of training in a specific field of study. For example, a typical example is a case in which a company has a policy to intensively reinforce training related to information security over the medium to long term. Select a service that offers the learning areas you want to focus on according to your company's issues related to information security. Is content customization flexible? E-learning services differ in their customizability depending on the provider. Specifically, e-learning services can be categorized into two types: those in which the original content created by the provider is used without editing, and those in which the content is customized for the company's own use. To optimize the content of information security training for your company, it is recommended to introduce a service that offers flexible content customization. Employee literacy and the know-how required for business operations differ from organization to organization. By choosing a service with excellent customizability, you can improve the training content according to the level of understanding and attendance of your employees, and provide continuous information security education. Is the fee structure and amount appropriate for your budget? The type and amount of fees for e-learning services vary from provider to provider. Some offer free e-learning services, some charge a monthly subscription fee, some only require an initial fee, and some charge a fee for each course taken. When introducing an e-learning service, be sure to set aside a budget in advance and confirm that the type and amount of fees for the service you are considering using are commensurate with your budget. It is also important to take advantage of free trials to determine if the service is easy to use and cost-effective. Back to Table of Contents Useful Information for E-Learning Information Security Training Finally, here are some useful contents and services for conducting information security training via e-learning. Select the most appropriate service based on the functionality you require, the scale of use, and the frequency of use. IPA "Information Security Measures Support Site The IPA (Information-technology Promotion Agency, Japan), under the jurisdiction of the Ministry of Economy, Trade and Industry, makes materials on information security measures available to the public. The page introduces specific security measures according to the purpose and situation, such as web conferencing, teleworking, and long vacations. It can also be downloaded and used as training materials or handouts. You may want to take a look at this page, as it can be easily viewed without the need to log in. Reference] Information Security Measures|Information-technology Promotion Agency, Japan (IPA) Ministry of Internal Affairs and Communications "Cyber Security Site for Citizens This is a website of the Ministry of Internal Affairs and Communications (MIC) that provides basic knowledge of information security and countermeasures. For countermeasures in companies and organizations, the curriculum is divided by roles, such as executives, employees, and information management personnel, and is designed to be easy to use for company-wide training programs. The page also includes videos and documents of past online courses on information security measures, and PDF documents can be downloaded and distributed, which will be helpful in consolidating knowledge. Reference] Cyber Security Site for Citizens|Ministry of Internal Affairs and Communications e-learning system "learningBOX learningBOX is a learning management system that allows you to conduct employee training online. It covers all the functions required for e-learning, including the creation of teaching materials and tests, grading, and management of course histories, and is useful for in-house production of information security training. In addition, "learningBOX ON" makes it possible to add existing training content to the learningBOX. In addition to information security training, content such as harassment training, business manner training, and compliance training is available free of charge, and original learning courses can be easily designed by combining them with in-house content. Up to 10 accounts are available free of charge, so please feel free to try it out when conducting information security training via e-learning. Back to Table of Contents Conduct Information Security Training via e-Learning to Improve Learning Efficiency In this issue, we have explained how to select content and services when conducting information security training via e-learning. In today's world where information management risks are becoming more complex and diverse, companies are required to actively invest in information security measures. In-house training is one type of such training, and e-learning makes it possible to provide content tailored to the literacy and hierarchy of employees. By implementing information security training via e-learning, you can both consolidate knowledge and improve learning efficiency. In addition to information security training, learningBOX ON also offers free access to essential in-house training content, such as harassment and compliance training, for use in your in-house training programs. ▼Here's another recommendation! Also read. Back to Table of Contents
blog

9 Ways to Prevent Information Leakage

Although the advent of the Internet has made information management more important than ever, there have been many cases of information leaks due to delays in response. When information leaks occur in a company, not only is the company's image tarnished, but it may also result in claims for damages and other problems that could affect the continued existence of the business. In order to reduce the above risks, it is important to take measures in advance. This article therefore explains the key points of information leakage countermeasures and the main causes of information leaks. Specific measures and points for information leaks Companies manage a great deal of highly confidential information, and once leaked, the consequences are immeasurable, including loss of trust from business partners and payment of large amounts of compensation for damages. To prevent such a situation, take measures against information leaks by referring to the following points. <Specific examples and key points of information leakage countermeasures Subject Specific examples and key points of countermeasures Employees Establish guidelines and rules Conduct regular information security training Restrict or prohibit information and equipment from being taken out or brought in Introduce a system to prevent misdirected e-mails Prohibit the easy abandonment or disposal of information Prohibits careless public dissemination of information Outsiders Keep IDs, passwords, and other information strictly confidential Install and update security software Perform regular system updates and vulnerability checks Information Leakage Countermeasures and Key Points for Employees Establish guidelines and rules In order to prevent human error, rules must be developed and implemented in accordance with company-wide guidelines. The policy indicated by management and the operational issues in the field should be reconciled in both directions. In doing so, it is a good idea to refer to the guidelines published by the Information-technology Promotion Agency, Japan (IPA). Reference: "Guidelines for Information Security Measures of Small and Medium Enterprises, Third Edition" (Information-technology Promotion Agency, Japan) Information security education should be conducted regularly. It is also important to conduct regular information security training to increase employees' knowledge and awareness of information security. Regardless of the nature of their work, employees should always be aware of the risk of information leaks, which will lead to an increase in their security awareness. It is easier to avoid risks if all employees involved in the business are targeted for training, regardless of the type of contract. Restrict or prohibit the taking out and bringing in of information and equipment To prevent information leaks due to loss or theft, it is important to restrict or prohibit the taking out of information assets and the bringing in of personal belongings. Operational rules should also be established in preparation for cases where taking out or bringing in information is unavoidable or when telework is introduced. Specifically, this may include obtaining permission from the responsible person, limiting the information and devices for which permission is granted, and so on. Introduce a system to prevent misdirected e-mails. To prevent information leakage due to misdirected e-mails or incomplete attachments, it is effective to introduce a system to prevent misdirected e-mails. The system is equipped with functions such as automatic sending after approval by the superior, automatic CC of the recipient, and reconfirmation before sending, and helps strengthen the information management system. Prohibit easy abandonment or disposal of information. To prevent the leakage of confidential information, it is necessary to prohibit the easy abandonment or disposal of information. If information is left in a state where it can be accessed by anyone, or if information is disposed of in a state where it can be retrieved or read, it may be used by a malicious third party. Establish rules such as not leaving documents and computers visible to outside parties when away from the office, and physically destroying electronic media and credit cards when disposing of them. Prohibit inadvertent public disclosure of information. Even if information is handled and disposed of properly, there are cases in which an employee's unspoken comments can lead to information leaks. Specifically, there may be cases where information obtained within the company is leaked through social networking sites, blogs, or in conversations with employees of other companies. Therefore, it is important to instruct employees to ensure confidentiality when conducting in-house training on information security. Back to Table of Contents Information Leakage Countermeasures and Key Points for Outsiders Strictly manage information such as IDs and passwords To avoid increasingly sophisticated external attacks, it is important to strengthen ID and password management. Thoroughly implement basic measures such as not using easy-to-guess character strings such as names, not using them repeatedly, and not managing them in locations that are visible from the outside. Install and update security software. Security software is an effective measure to prevent personal information leaks due to cyber-attacks, as it can deal with new methods that are difficult to deal with using standard OS functions, thereby reducing the risk of security incidents. It is also important to update the definition files to keep up with the ever-evolving methods and viruses. Regularly update your system and check for vulnerabilities. External attacks often target vulnerabilities in systems and applications. Therefore, to prevent information leaks by outsiders, system updates and vulnerability checks must be performed on a regular basis. In the unlikely event that a vulnerability is discovered, after confirming the degree of danger and impact, take appropriate action by installing new security tools or suspending or modifying the use of the system. Back to Table of Contents Major Causes and Incidents of Information Leakage The main causes of information leaks can be categorized as human error or intentional misconduct by internal staff and malicious attacks from outside. Here, we provide specific examples of each and the causes of occurrence. <Causes, sources, and contributing factors for information leaks Classification Main cause Source Cause of Occurrence Internal Human error Lost or misplaced Careless conversations or social networking Mishandling of e-mails or systems Full-time employees Retirees Outsourcing Part-time workers, part-timers, etc. Contractors, etc. Carelessness Lack of knowledge, etc. Intentional Unauthorized removal Unauthorized manipulation Economic reasons Economic reasons, etc. External Malicious attacks Cyber attacks Malware infection Eavesdropping or theft Single or organized crime Single or organized criminals Domestic/international, etc. Information leakage due to internal human error Information leaks due to internal human error are mainly caused by misplaced or lost recording media such as PCs, documents, and USB memory sticks, as well as mishandling of e-mails such as wrong destinations or attached files. Information can also be leaked due to careless conversations in public places. For example, it is possible that a third party may have heard your conversation in the lounge of an office building, in an elevator, in a café, or in a pub, so be careful. Statements such as, "Our company plans to go public soon ......," or "Next year's new product will have 00 technology ......" should be avoided. Other potential sources of information leaks include inadvertent transmission on social networking sites, such as posting confidential information prior to its release or personal information about customers. Even if anonymous, be aware of the risk of identifying the sender and the organization to which the sender belongs from the content of the message. Internal Intentional Leakage of Information Internal intentional information leakage can be caused by information being taken out of the company by a retiree. This may be due to financial reasons or distrust or dissatisfaction with the organization. Information leakage due to external attack Typical causes of information leaks due to external attacks are unauthorized access and malware infection. Malware refers to malicious programs or software that cause terminal malfunctions or information leaks. It causes leakage of personal and customer information, misuse of IP addresses, and other occurrences. Please also be aware of cases where information leaks are caused by theft through office eavesdropping or illegal entry. Back to Table of Contents How to Respond and Procedures to Follow in the Event of an Information Leak In the event of an information leak, immediate action is required to minimize the damage. This section provides a step-by-step explanation of how to respond in the event of an information leak. Step 1: Confirmation of the actual situation and immediate reporting First, immediately report any signs or effects of an information leak to the person in charge. Establish a response system centered on the person in charge, as well as the policy and details of the primary response. It is important not to delete e-mails or files or perform any other unintentional operations so as not to erase evidence that may provide clues to the cause of the leak. Step 2: Initial response to prevent secondary damage Next, take emergency measures to prevent the spread of information leaks and secondary damage. Measures such as shutting down the network or suspending services will be considered. In the event of a personal information leak, the affected party may be contacted and asked to change their password or stop using the service. Step 3: Cause Investigation and Information Disclosure The next step is to investigate the cause of the information leak; from a 5W1H perspective, investigate the facts related to the information leak and try to secure evidence. When countermeasures have been clarified, companies are required to promptly disclose the information to reduce the number of similar cases of damage. Step 4: Reporting to the relevant authorities and making public announcement The next step is to consider whether or not a report or public announcement to business partners, consumers, and relevant ministries and agencies is necessary. If transaction or personal information has been leaked, unless there is a specific reason to the contrary, the basic rule is to notify business partners and the individual concerned, apologize, and alert them to the possibility of secondary damage. If individual notification is difficult due to the wide range of people involved or the number of damages, a public announcement may be made on the company's website or at a press conference. If a crime is suspected, such as a request for money or unauthorized access, promptly report the incident to the police. Step 5: Consider and implement measures to prevent recurrence Finally, measures to prevent recurrence of information leaks are examined and implemented. Also, based on the investigation report, compensation for damages to the suspect and disciplinary measures for internal staff are considered in this step. Reference] "Key Points for Responding to Information Leakage" (Information-technology Promotion Agency, Japan) Back to Table of Contents Reduce Security Risks by Implementing Information Leakage Countermeasures Information leaks are a risk that can occur in any company. Since there are various possible causes, such as inadvertence by internal employees or attacks from outside, comprehensive measures must be taken to prevent leaks before they occur. Take this opportunity to implement information leakage countermeasures and reduce security risks. Please use the "learningBOX ON" information security training program to familiarize yourself with information leakage countermeasures within your company. LearningBOX ON" is a service that makes it easy to add training content required by companies to learningBOX, an e-learning creation and management system. You can easily design your own original learning courses by combining them with content created in-house. We hope you will make use of this service for your company's internal training programs, as content for information security and compliance training is available free of charge. ▼Here's another recommendation! Also read. Back to Table of Contents
To learn more about learningBOX
en_USEN