William Beer, director, OneSecurity, PricewaterhouseCoopers (PwC), says that organisations should be making people - not technology - their first line of defence against damaging security incidents.
The cost of rectifying problems after a data breach can be immense – and often surpasses the amount that, if invested wisely, could have mitigated the risks. And the reputational damage to any organisation that demonstrates its inability to protect personal and financial data is very hard to repair.
While recent high-profile security breaches have shocked the public, they are not news to those working in the field of information security. Breaches are preventable, yet happen again and again.
Has IS got the right focus?
PwC's 2010 Global State of Information Security Survey showed that only 48 per cent of organisations surveyed in the UK have an employee security-awareness programme, drastically behind global leaders – the US (64 per cent) and India and Australia (both 59 per cent).
It concluded that “the increased risk environment has elevated the role and importance of information security” and found that business leaders see data protection as one of their most important priorities. Across all sectors, the survey found that the level of investment in security has increased to meet threats, and that the commitment of IS professionals to increasing the levels of protection and deterrence remains high.
The industry's response has been strongly biased to improving things by further investment in technology: in essence, solving what is perceived to be a technical issue with a technical solution.
Human versus technical defence
The reality is that financial losses due to cyber crime are growing, despite advances in technical defences such as firewalls and anti-malware. Credit card and online fraud are up, with identity theft an everyday problem. Often, such breaches are the result of human error, which no technical defence could have prevented.
According to the Computer Security Institute's Computer Crime and Security Survey, 25 per cent of respondents said 60 per cent of financial losses came from accidental breaches by insiders, not external hacks. It also found that less than one per cent of security budgets are allocated to awareness training.
Technical solutions are too frequently being prescribed for people problems. There is always a human element: negligence, ignorance, confusion, anger, even curiosity, can give rise to incidents.
Efforts to improve security can result in cumbersome systems that get in the way – rather than help people do their jobs. As a result, people bypass security controls; so the human element within a technical solution diminishes its desired effect.
What is required is a new approach, where an investment in understanding and influencing the behaviours of all those concerned is balanced against the investment in technology and processes.
Invest in people. Make them the first line of defence against security incidents. The ROI from a well-executed strategy to develop the right behaviours around IS stands up favourably when compared to the level of investment in technology.
Good security awareness
A well thought-out approach to developing the right behaviours will ensure that all those working for an organisation will be alert to risks, will want to act to protect it and will know that they will be supported in doing so. It pays for itself many times over. Good security awareness has clear benefits and can help in: reducing incidents of theft and fraud; avoiding breaches of law, with associated fines and adverse publicity; ensuring continuous availability of critical information; protecting brand and reducing reputational risk; using security as a marketing differentiator.
Security-aware employees are often the best placed to identify a potential breach or a weak link. Equally, savvy employees can prevent and reduce the impacts of incidents when they do occur.
A security-aware workforce will provide improved protection for an organisation's assets and give rise to an environment where all staff members are committed to the protection of information assets.
Talk to one another
Many organisations are enormously complacent when it comes to security. The difficulty large organisations face is that security functions tend to be autonomous, fragmented and isolated. Rarely do security teams engage with the business, and even more rarely does the business talk to the security team.
A lack of understanding can provide a false sense of security, as no security measure will fully protect the organisation if the workforce does not implement it on a daily basis.
Successful organisations have high levels of engagement of both their employees and the people they serve. This comes from a common belief in what the organisation is there to do, from clear leadership and from the concerted efforts of all those involved.
Supporting employee change
The main objective of any awareness-raising approach is to lead people to exhibit new behaviours. However, simply telling people what to do is seldom enough to make them change. There is value in considering the regular points of contact that an organisation has with employees, which are opportunities to influence behaviours, values, and attitudes and provide consistent messaging on IS issues.
Accessible policies are essential, as is the support for employees and those who buy from or use an organisation's services. Developing the right behaviours will ensure that all those working for an organisation will be alert to risks, want to act to protect it and will know that they will be actively supported in doing so.
The personal touch
In light of high-profile reports on identity theft, credit card fraud and exploitation on the internet, people want to know how they can protect themselves and their families from becoming a victim both at home and at work. This provides an opportunity to engage the workforce with security awareness, providing them with not only the key rules for the organisation but also advice for them and their families: an effective method of achieving long-term behavioural change.
Successful security awareness campaigns demand cohesion and consistency. A programme that develops over several years with a common theme, an attractive look-and-feel and effective measurement of progress against robust benchmarks is a minimum requirement to ensure the right messages get through.
Whether organisations are reviewing current security awareness approaches or developing new ones, it is worthwhile considering a number of key questions:
Securing against the myriad threats to information that exist in the wired world has never been more important. People are the first line of defence and with their full support, as part of a balanced programme of protective measures, an organisation will be well placed to mitigate the information risks it faces.