Just having a security policy is not enough. You have to make sure that all staff understand and follow it.
Losing laptops seems to be a fairly regular occurrence in big business. Quite how this has come to pass escapes me, as I've yet to "forget" the extra load on my shoulder when travelling (although I've often wished I could). It probably helps that my laptop is actually mine, not funded by someone else, and losing it would make a dent in my budget I would rather avoid.
Recently Nationwide was fined nearly £1 million for mislaying a laptop full of customer data. Although unfortunate for those customers whose data went missing, I think this is actually a good thing for computer security as it illustrates several common problems.
In its defence, the building society did directly inform its customers and also clearly stated that the company, not the customer, would bear the cost if any fraud were to result. But it's not all as good as the press release makes it sound.
Reading the Financial Services Authority final report on the subject (www.fsa.gov.uk/pubs/final/nbs.pdf) reveals a worrying set of problems. Most press reports have concentrated on the likely technical concerns, such as disk encryption. However, the report also details procedural issues that are not so simple to fix and undoubtedly affect other businesses.
A key problem lay with the Nationwide's security policy and, more importantly, how well it was understood and followed by staff. The document was poorly structured and failed to clearly prioritise different security precautions. Although published on the company's internal website, it had no search facility. Indeed, online distribution is hardly ideal for in-depth procedures, it is much better suited to refresher information and interactive procedures.
All too often companies will publish a policy and just assume that people will understand and follow it. Life is rarely this simple. Creating a policy document that is easy to understand and follow is a difficult job, and often left to technical staff with no documentation training or experience.
And it's not just the security world that has this problem: in the aftermath of the Piper Alpha oil rig disaster in 1988, the procedural documentation was found to be sadly lacking. Indeed in many accident investigations, procedures or the failure to adhere to them is often found to be a key factor.
Although staff were required to sign up to Nationwide's policy, no checks were made to see if they really understood it. While this might be okay for the typical small business, where policies are fairly simple, in the financial services world the stakes are much higher and the education process should reflect this. How much easier my school life would have been if I could have just signed a form to say I had read and understood each subject's syllabus!
Of course sitting everyone down for a security exam is a sure way to lose your last few friends as a security person, but there are other ways. Online and paper documents can include self-test facilities, and training sessions can have practical exercises.
The building society provided training, but it was not tailored to specific job roles. Like good documents, good training is matched to the general audience, and a competent trainer will rework the material on the fly to cope with each different group of trainees.
Yet much corporate training is delivered by people with no educational experience. Would you be happy having your children taught by an unqualified teacher? If not, why put up with it for your staff?
Of course this is an unfair generalisation, but I suspect that some of these problems will exist in varying degrees in most large companies. In the same way that software is easiest and cheapest to fix in the design stage, equipping staff with good education and supporting material early on is the best option.
And maybe next time the fine will be paid by the directors themselves rather than the company accounts. That should really concentrate the mind.
- Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.