All the technology in the world won't help if your employees don't follow security policies, so how can you win them over?
Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.
In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.
A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and "not taking it seriously".
The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: "You can't trust employees to read memos."
So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. "You need to change the culture of the organisation over several years," says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.
"It's heartbreaking," he laments. "Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away."
Generating this culture of security is an important component of overall security awareness. "There's an awful lot that users need to know - too much," Smith adds. "They're overloaded with information they're not really interested in - it's boring." Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.
Bad awareness education can be even worse than no training at all, Smith suggests. "Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell." Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.
Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. "Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'" Smith says.
Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. "E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with."
Nevertheless, they can work well if you're prepared to invest in them properly. Paul King is a member of Cisco's security programmes organisation, which runs training around the world. As well as an initial induction programme that uses face-to-face training, Cisco uses e-learning systems featuring specially shot videos put together by professional video makers. "We keep them quite short, simple and interesting. There are also questions interspersed throughout, although they're not as hard as an exam."
Cisco has an internal home page with links to take people through to the e-training videos. Using web analytics, the company monitors which employees have been watching videos. "Everyone in the organisation understands that the need for security awareness comes down from John Chambers (Cisco's CEO)." But if employees aren't watching the videos they're supposed to be watching, their line managers will be asked why.
King says the company can also tell how effective training has been through other means. A recent video on "shoulder surfing" emphasised the importance of using privacy screens when working on laptops in public places. A link next to the video took the user to a place where they could buy a screen through their department's budget. "Take-up was huge. Lots of people now have screens on their laptops. That's our measure."
Cisco only produces a few of these videos. For the most part, it provides a constant background of security information to create a secure culture. It uses poster campaigns and newspapers among other things. A recent effort suggested employees should think of themselves as "security champions", trying to keep the company safe.
However, Robin Adams, head of the security division at the Logic Group, cautions against relying on posters. "The feedback I get is that posters work for about a month." Similarly, signs to remind users of good behaviour tend to fade into the background within days.
Although seminars can be expensive and not as effective in the long-term as other methods, they can work well in small companies. Firebrand offers low-level training courses that clear away jargon and acronyms - something that can creep in if security staff put on their own seminars without input from marketing, training or HR departments.
David Cole, academy team leader and senior consultant at risk consultancy DNV, suggests that role-playing works well in workshops and seminars. "There's a danger in infosec training that you end up showing slide after slide," he warns. "But you need to make it fun. You can have training exercises and create a scenario that builds slowly over the day."
May at Integralis uses anecdotes from his forensics career to enliven his sessions. "You get senior people turning up because they hear it's interesting. If you can add a bit of humour, they can enjoy proceedings." He also advocates the use of role-playing: "They have to think for themselves. It's a good way of making it sink in." Nevertheless, although he is in favour of induction courses, he considers a presentation by itself "virtually worthless".
It could be you
Getting employees to pay attention to all these messages usually involves sticks and carrots. Annual exams can test how much has actually sunk in. Strong punishments for people who have knowingly broken security policies can set an example and demonstrate the company is serious about security. But the Logic Group's Adams says that, in his experience, painting a worst-case scenario of what could happen works "amazingly well" when it comes to convincing staff to abide by the policies anyway. "If you explain that credit-card companies might take away their ability to process cards for orders, together with the effect that would have on jobs, people really listen." Explaining what information might be worth to criminals also helps, he adds.
Ultimately, no matter how good security technology becomes, people will always be a weak link. Ignoring this fact is, as Smith suggests, like focusing on brain surgery when the patient is dying of the common cold.
TOP TEN TIPS FOR YOUR STAFF
1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.
2. Lock your workstations when left unattended and log off at the end of your working day.
3. Don't share computer passwords except under the most exceptional emergency circumstances.
4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.
5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.
6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.
7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.
8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.
9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.
10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.
CASE STUDY: RICOH
Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.
Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. "In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel."
However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. "While we strive to be as strong as can be with physical security, it can all be undone by people," he says.
So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. "We tried a number of things to see how they were received." Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of "water cooler" chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.
To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of "11 commandments" based around the "DOIT" slogans ('protecting documents, office and IT') further added to the message.
"HR and marketing helped come up with the slogans," recalls McLean. "And HR were able to tap training and similar resources." Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. "Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'"
Although Ricoh now has the certification, McLean says the programme will continue. "We're always going to be improving it."
WORKING WITH OTHER DEPARTMENTS
If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.
This usually involves board-level support as well as a "bridging unit" or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.
The HR and legal departments can be useful, as they can ensure that employee contracts include suitable rules about security and IT use, together with appropriate actions in case employees break them. This means that if someone does cause a security breach, the contract, together with the training given to them, significantly reduces the chance of a lawsuit for unfair dismissal being filed against the company. Liaising with HR means security training can be part of the induction programme, avoiding the problem of security being seen as something "other".
Marketing, training and other corporate communications departments have those vital people skills that some IT specialists lack. When creating awareness campaigns, marketing can help to devise the most effective methods of getting the message across. And while IT can certainly provide the information about security that needs to be given to employees, a training or HR department is far more likely to be able to deliver seminars and courses in a way that non-technical people will appreciate.