Following claims that the Ministry of Defence (MoD) had launched a publicity campaign to educate its staff about information security as well as announcing a mandatory computer-based training course on protecting information, BlockMaster CSO Anders Pettersson claimed that education is fair enough but telling people is only half the job.
The MoD's annual performance report claimed that the vital role that information plays across the department has been reinforced through the establishment of a new CIO role and supporting organisation. It acknowledged that to date there is no evidence that any individual has suffered as a result of an information loss, but this gives the MoD no excuse for complacency.
The report stated: “Our remit for protecting information extends beyond the immediate boundary of the department into our supply chain, parts of which handle personal data and other key information on our behalf. We work with our industry partners to ensure that they understand their responsibilities and where necessary we are supporting this with contractual changes.”
It claimed that a publicity campaign has increased awareness of the importance of information assurance across the department and a new computer based training course on protecting information has been developed. The completion of this, or an equivalent method of training, is now mandatory for all staff.
“A cultural change programme is being developed to ensure that the main themes of Sir Edmund Burton's report relating to all MoD information, personal or otherwise, is taken forward in the long term,” said the report.
Anders Pettersson claimed that risks cause education and awareness in IT security, but users, organisations and vendors need to consider why losses are happening again and again and consider what is wrong?
Pettersson said: “I would have thought that the MoD would be quite rigorous in putting policies in place, but the everyday user will only use security features if they are user-friendly and work automatically so it can add some form of benefit to the company. Then the user will use it if they like it and find it easy to work with.
“If you are looking at an isolated issue, our solution will fulfil a need but if you're looking at a wider picture then that is an issue of education and what solutions sound like they will be a good fit.”
Pettersson further claimed that it is a combination of basic training in using security tools, and on the vendor to offer usability so that it is straightforward and something that the user can understand.
“There are step-by-step guides that focus on building IT security for organisations, it is a complex issue on how to educate but those people have built in judgement on whether something is good or not,” said Pettersson.