The most advanced systems can be undone by human error. Winning security buy-in from staff is a crucial part of your role. By Mark Mayne.
Aesop in his Fables wrote the immortal line, “you can't please everyone all of the time”, and it certainly holds true in IT security. Info-security professionals have to walk a tightrope that traverses many territories, from IT through business imperatives to people management. This last point is often neglected, and the days of the IT-focused security officer simply sending a ‘don't click the links' round-robin email should be long gone. So what are the alternatives? How are they transforming security initiatives across the globe and how can you achieve security buy-in from your staff – without the pain?
Chris Burgess, behavioural psychologist and senior security advisor, Cisco, says: “The first and most important thing is that technology doesn't equal security. It's a well-worn statement, but you need people as well, and there's often a real gulf between IT managers and customers or users.” This gulf is the source of much discord, as it renders communications between the two groups ineffective, and can even alienate one side from the other. All of which feeds into the classic image of IT geeks in the basement, unable to communicate meaningfully with ‘normal' employees.
Martin Smith, chairman and founder, The Security Company, echoes Burgess: “You can put an amazing security system in place, but if nobody understands how to use it, it will go wrong. It's all about the human factor, and unfortunately most of the security officers I meet simply don't get it. Security training can't just be about ticking the box, it's got to be about making sure that people understand the everyday rules, and why they are there. For example, making all employees undertake computer-based training courses once a year just isn't sufficient. It has to be part of people's everyday lives, so that they can relate to what you are asking them to do.”
Getting staff to empathise with the policy being communicated is clearly key. As with any edict from ‘on high', if the realities of people's working lives don't stack up against the demands of the policy, it will be widely ignored. Burgess adds: “The various business units have to be part of the security policy, otherwise you run the risk of stopping those units from working with your policy. For example, when a salesperson is giving a client presentation and they know that the anti-virus will begin a scan in ten minutes that will freeze their machine, would you rather they didn't begin, or that they switched off the AV?”
Smith believes the most pragmatic approach is to provide a real-life analogy when communicating security policies. For example, when promoting good password security, he recommends that users be encouraged to think of their password as their front door key. “This way, people can relate to what you are telling them,” says Smith. “Just saying ‘don't write it down' isn't helpful. However, making people think of an everyday item such as a door key encourages and reinforces careful behaviour. I often tell people to think of a password like their toothbrush as well – don't share it, and keep it somewhere safe.”
Burgess thinks that the issue is often with the channels of communication rather than the content: “Just sending an email outlining your security policy simply isn't good enough. It has got to be planned more like a marketing event – you need to sell the policy, not just state it.” Therein lies the rub – policies are generally designed and issued by specific departments, and marketing rarely gets a look in.
This is especially relevant to IT security, where it is often necessary to share complex, technical principles in a simple, digestible manner. Often an in-depth understanding of the technical details of the issue is a barrier, rather than a boon, to simple communication.
Burgess continues: “There is a whole range of learning tools available to business now – so go out and use them. This isn't just a localised problem either – while security policies are devised globally, they are always implemented locally, and ensuring that they mix and resonate with local culture is critical.
“This is not just about wider culture, but often about internal culture too, such as the culture of the accounts department, or human resources, which is different to the culture of maintenance, or IT. There are different ways that each department processes information, and one size just doesn't fit.”
Education models have changed fundamentally in the last ten years or so, and where once a verbal or written learning process was favoured, now there is a widely held belief that teaching is best structured so that it allows multi-sensory learning. This can be broken down into visual, auditory and kinaesthetic (education through doing) learning. Although some individuals show a preference for one particular method, most people learn best with a mixture of these techniques.
Most good adult learning courses provide materials in a variety of formats, so why should a questionnaire or a section in the employee handbook be any different? And many training centres in different disciplines are beginning to use cutting-edge techniques such as neuro-linguistic programming (NLP) to achieve more effective, faster learning, due to faster response to the material.
Burgess agrees about the need to switch on more to these methods: “As an industry, we need to become more sophisticated with our security communication. Use videos of people doing things right – not wrong. Provide positive role modelling – not the purely negative ‘don't do that' message of old.”
Dr David King, chair of the Information Security Awareness Forum, believes that technology does have a part to play in the new order: “You need your technology to lead staff in the right direction here and remove some of the pain: for example, provide encryption across the board as a default setting. It is also important to have good sources of information available, with clear, relevant policies set out in an accessible manner.
“Remember that employees play a variety of roles every day, in different fields, such as being an end user at home, but maybe in a more technical role at work. They need to be able to find the relevant information for their role without searching through huge documents on the intranet. Asking people to make time for that kind of information-hunting just doesn't work.”
Of course, communicating the finished policy is only part of the battle. Actually drafting one in the first place can raise issues. Ann Bevitt, a partner at IT specialist law firm Morrison & Foerster Europe, believes that many IT departments can easily lose their way when producing company-wide policies. “Consistency is absolutely critical when implementing or enforcing company policies, and avoiding discrimination issues is obviously vital. It's also important that policies are regularly updated – one that is two years old is simply no good. Overall, though, the biggest single issue is a lack of familiarity with policy drafting.
“It's vital that IT operations, such as the security department, work with HR at an early stage when producing security policies. Without a proper framework, policies can be unenforceable. For example, employee monitoring without explicit consent is inadmissible as evidence in the US and France in the event of a dispute arising. Internal departments may be unaware of the specifics of international data law.”
John Colley, managing director, EMEA, at certification body (ISC)2, also believes that HR has a key role to play in developing robust policies. “HR professionals can play a pivotal role in driving security messages, policies and procedures and really contribute to corporate security in all employee management practices,” he says. “This is important because employees are faced with decisions every hour that can impact on the security of an organisation's – or its customers' – data.”
Martin Smith agrees. He often poses the rhetorical question ‘how many security staff do you have?' to major organisations. “When I ask this, the majority of CISOs begin listing their department, then adding on their physical security force and so on. This is fundamentally wrong – all employees should be part of the enterprise security system. Just changing behaviour a tiny bit, such as locking workstations when you go for a cup of tea, or challenging (in a courteous way) people without a visible ID pass, will increase security enormously for no measurable cost.”
It is clear that communication is the point in question here. It is hardly a new topic, but is still not as widely addressed as it should be. Although there is growing recognition of the importance of in-depth, targeted training, much of the IT security world is yet to utilise the resources available.
A growing number of blue-chip corporations are using external agency experience and resources to market corporate messages internally – specifically those relating to privacy and security, as their overall importance grows. However, any size of company can take advantage of the concepts of effective communication and improve their security for a fraction of the cost of a new IDS box. It's time to start thinking clever, not just boxing clever…
BANKING ON STAFF
Barclays is a major financial services provider, with an international presence, engaged in retail and commercial banking, credit cards, investment banking, wealth management and investment management services. Operating in 50 countries and employing 150,000 people, it handles financial information for 42 million customers and client companies worldwide.
Julian Parkin, group privacy programme director, Barclays UK, says: “Barclays manages a huge amount of information, and we need to handle it competently. We can't simply institute technology, such as encryption, and expect that to be the answer. We need policies and procedures that actually work.”
Barclays decided to launch an integrated internal campaign to raise awareness of privacy across the group, using a variety of digital and traditional media. “We held a beauty contest of three agencies,” says Parkin, “and ended up going with Blue Goose, due to its blend of expertise.”
‘Th!nk Privacy', the campaign that Blue Goose created for Barclays, involved eye-catching images, such as a data CD blended with a circular saw blade, designed to make employees think about data security and privacy. Luggage tags were handed out in lifts and stickers placed on entry and exit points to raise awareness. “This was all about catching people at the point of behaviour and saying ‘think what you are carrying'. Most people agree that leaving data on the train is wrong, but we needed to approach people before they arrived in that situation,” explains Parkin. “We were keen to alert people to the dangers here, but not to over-emphasise and make them switch off entirely.”
Laptop sweeps were undertaken by internal security staff, who left parking notice-style notes informing staff that their laptop had been impounded. In addition, a series of ‘ambient media', such as mugs and rear-view mirrors with campaign branding on them, was distributed. An intranet microsite was also constructed.
The campaign was launched last year into two UK business units of around 10,000 employees. The microsite had more than 3,000 page views and support has been high. Parkin continues: “We'll be launching the same campaign in a European country in early 2009, and ultimately will design a toolkit to allow regional centres to pick and choose the elements that will work best for them. We've had very high levels of support from all areas, which has been key to the project's success.”
Additionally, a series of short films was commissioned, highlighting five key steps in information risk management. Mark Logsdon, Barclays' deputy head of information risk management (IRM), said: “We wanted to update some of our IRM policy, which had become a bit dated. We agreed five principal behaviours across the business, such as using technology appropriately, managing passwords and reporting incidents, and took these to a production company called Twist and Shout. The idea was to get light-hearted, The Office-style shorts that would be standalone, and could not only be virally distributed within the company, but could be used for multiple purposes, such as training.”
A key issue with awareness projects is the tracking of results, and to this end the team at Barclays is working on building a suite of metrics that demonstrate the growing understanding of security and privacy issues. Assessing reach, levels of understanding and finally the influence on action (such as reporting or responding to an incident) is vital. Stephen Bonner, global head of information risk management for investment banking at Barclays Group, says: “We are ultimately aiming to establish a metrics dashboard, but assessing the various sorts of data that we have from a huge variety of sources will take some time, and it is a learning process. Metrics is one of the most overlooked aspects of this business.”
SELLING SECURITY TO STAFF: TOP 10 TIPS
1. Every employee must be aware of and knowledgeable about the corporate information security (IS) policy. This policy should include detailed guidelines and procedures, and be closely aligned with business priorities.
2. Management and staff within any organisation must have a common understanding of the importance of security issues, along with an appreciation of enterprise-specific vulnerabilities and threats. They also need to understand and accept their own security responsibilities and ensure there is a confirmation process in place.
3. Executives should be aware that although insiders continue to be the primary source of most security risks, attacks by organised crime and from other external sources are increasing.
4. All customer information must be classified according to risk, and those who regularly deal with high-sensitivity customer data or confidential business information need to be aware of their value. Ensure that common attack vectors are explained and understood.
5. Each employee should understand the personal consequences and business problems that will ensue if best practice, as defined in policies, standards and guidelines, is not followed.
6. There must be a clear, impartial evaluation plan, which formally assesses the post-training behaviour of staff and management.
7. Different groups in your organisation require different levels of technical detail and information. For example, business users need information regarding proper handling of iPods and USB drives, rather than detailed information on data storage architecture.
8. Senior management must not only endorse but promote the approach and content of the IS policy, with an emphasis on good communication, comprehensive awareness of key issues and compliance with relevant regulations.
9. A risk management policy needs to be established to define risk limits and risk tolerance and to ensure that clearly structured roles and responsibilities for risk management ownership and management accountability are in place.
10. Proper attention needs to be paid to the wide range of legal and regulatory requirements that affect the business, such as data privacy, copyright and internal control demands.