Michael Brophy, Certification Europe’s CEO, highlights why the human element is the weakest part of your information security system and sets out how to prevent data breaches.
“Those who cannot remember the past are condemned to repeat it.” – George Santayana
“That engine of fate mounts our walls, pregnant with armed men.” – Virgil
What would you do if you found a USB key that was branded in your company logo outside your offices? What do you think most of your colleagues would do? The Trojans made a mistake over 3,000 years ago and the odds are most of your colleagues would still make the same one today.
As the digital age develops we find ourselves becoming more and more reliant on information as well as information systems. You cannot have one without the other, and in an intertwined pair they have become steadily more and more advanced.
In the past 20 years information security has become much more complex. Information which was once on printed media, and protected by lock-and-key has given way to digital data, which in turn have become protected behind by firewalls, access control software and encryption.
However, there is one important element that has not changed in all of this time.
The human element, it has not changed over the past 3200 years. It has been, and remains even today the weakest link in the information security chain.
Even being aware of the threats posed by the human element of any data security system does not in itself typically lead to behavioural change. Staff, workers and high-level influencers indicate that whilst knowledge is an important factor in the way they approach information security, it isn’t the only consideration.
Rather than engaging in proactive security behaviours, users place overt trust in their IT departments and organisational security leaders. They trust that their company or organisation’s IT departments have implemented fool proof measures to prevent data theft or security intrusions, sometimes ignoring common sense practices that are effective in preventing major breaches.
True, a poorly thought-out security protocol which is counter intuitive, impedes workflow, requires additional investment or is otherwise perceived to be unacceptable will invariably be ignored or bypassed by users. But the truth is even a well thought out security protocol with minimal impact on the user will still struggle to get 100% acceptance among staff. Information security is still often seen as a vague notion, something that happens to other organisations. Yet it is in this small number of staff who do not (or choose not) to use common sense procedures that data breaches commonly occur.
Password’s make most systems secure, the more complex a password the more secure a system is but the human element renders this next to unusable. Who can remember a 12 digital alpha-numerical password that contains a mixture of special characters and upper and lower case? Now try to remember this for each of your systems. This is why we have seen, and continue to see, countless data breaches on accounts using passwords as simple as “Password” or maybe even
“Password01”.
The largest security hurdle is end users themselves, the key organisational stakeholders who have access to your organisation’s sensitive data. The mind-set of these users, even when they possess an awareness of the types of security threats directed at their organisation, is often that they are protected by the organisation’s vast security infrastructure rather than seeing themselves as the key element within it.
Fostering a culture of data security where users recognise that they are vital components of the overall system is the only way to ensure that all employees are part of a secure data system.
Here are 5 tips for fostering a culture of data security.
Procedural Audits
Clear, practical and well thought out security policies, procedures and protocols form an essential baseline for users to know what is expected of them in relation to information security. However, periodic reviews and audits of an information security management system, such as ISO 27001, are essential for keeping sound information security at the forefront of user’s minds, and to verify that staff are actually doing what is being asked of them.
Granular Training
Random or high-level training is less productive than frequent, granular training. Exercises should be designed to address specific behaviours and practices, there is no substitute to using real life examples to address real life issues. Senior management, including board members and supervisors should attend training events to demonstrate the importance of responsible security behaviours. This helps achieve buy in amongst all staff and ensures that there is no chink left in your armour.
Cost-Benefit Analyses
Robust information security programs leverage a combination of human and technological elements. In addition to the cost of technology, organisations must be willing to pay for improvements in the human-based element. Fully implementing information security will require a culture change in most organisations, something that can be immensely challenging and require a willingness to embrace new attitudes, yet, if successful achieved the benefits can be substantial.
Know your people
Most information security breaches involve some element of social engineering at their heart. Criminals are prepared to invest time and energy if the rewards are big enough getting to know key staff and targeting who they feel would be the weakest link. Make staff aware of the need to treat all information securely. Regular briefings about present security risks can make us question, “Who is this person cold calling our business and asking who our head of IT security is?” In a similar manner, senior managers should become aware of their own people, helping them to nurture an awareness of user-specific access rights, internal contacts capable of delivering access to sensitive information. As Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
Independent Audit
An independently assessed security information standard, like ISO 27001, helps to bring all your information security activates into focus. An audit, once or twice a year will help you rationalise what you are doing, why you are doing it and what you have achieved. The auditor is your friend, think of them as your conscience. They will probe you for weakness, test your systems and then report back their findings. It also gives your group something to aim for and a road map towards constant improvement and we have found that it is a key part of fostering the information security culture.
Since information security threats are constantly evolving, our management response to human security vulnerabilities must also constantly adapt. The human resistance to change, reluctance to closer individual scrutiny and human curiosity are inherent challenges to rolling out information security improvements.
Back to the question about the USB key, Poneman Institute found that 38.5% of all business surveyed in their 2011 survey suffered a data breach because of a USB key introducing malicious code onto their network. 3200 years later and we are still repeating the mistake of the Trojans in Troy.
The human element and its corresponding failings must be overcome if we are to achieve real information security and prevent breaches of our organisations’ defences.
About the Author:
Michael Brophy | Certification Europe | @CertEurope_
Michael is an expert in the fields of national and international standards and compliance assessment. He has over 15 years’ experience in information security standards for government, military and various business sectors (pharmaceutical, telco, financial, IT and security printing sectors).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.