To many organisations, making real progress on developing a corporate appetite for governance, compliance or IT security initiatives is difficult. One CISO working in a large retail organisation likened the activity to “boiling the ocean”. The issues of data protection and data handling have been around for many years, albeit without the level of focus or potential for sanction that exists today. The extension of the use of technology into everyday life, and its development into the cornerstone of modern business, has happened gradually and systematically over the last 20 years.
Free Download: How To Keep Your Mobile Safe From Cybercriminals!
The reality that we have to face up to is that very little strategy went into preparing for the negative consequences of this change and the ways consumer information is created, managed and stored. As a result, there exists an enormous need for education equal only to the challenges faced during times of supreme crisis, such as a war.
In his “Report into the Loss of MOD Personal Data” in 2008, Sir Edmund Burton found that some of the key problem areas for the public sector involved:
“Not treating information, knowledge and data as key operational and business assets. Information not being formally managed at executive boards across the Department which constitutes a significant risk to the Departments operational effectiveness, resilience and reputation.
“Generally, there is little awareness of current, real threats to information and hence the Department’s ability to deliver and support operational capability. Consequently, there can be little assurance that information is being effectively protected.”
This is an accusation that can still be leveled at most organisations, both public and private sector, today–a full six years later.
[wp_ad_camp_4]
As a case study of how things have changed in the infosec industry, the Burton report describes the issues facing organisations: “During the Cold War, awareness of real security was ingrained in individuals and organisations. Audit, inspection and compliance regimes were rigorously underpinned by codes of discipline. These well developed processes and procedures have not been translated effectively into the current electronic information age.”
Furthermore, there seems to be a lack of awareness that the behaviour of each individual factors into the risks faced by the parent organisation. Achieving such awareness and appropriate codes of personal and corporate conduct, with effective governance, represents an urgent, high priority task for management teams across the UK.
The human element in the security strategy of any modern information security system is both its strongest and weakest point. Users, whether at home, school or at work, can simultaneously function as a great asset in identifying suspicious use of resources and information, yet they can also be careless and irresponsible, negating thousands of pounds of investment and man-hours in a single mouse click. In the case of the workplace, recent research suggests that many users do not feel that they have a crucial role to play in organizational security, and few feel that they need to observe an organisation’s password policy to the letter.
So how is it that our user base and their business managers are so disconnected from these challenges? How many high profile data breaches are required to reach a tipping point on this issue?
On a positive note, a recent report commissioned by Raytheon and independently conducted by the Ponemon Institute entitled “Privileged User Abuse & The Insider Threat” revealed that there are genuine concerns growing in organisations about insider threats. The study revealed that 89 percent of respondents say WikiLeaks and Edward Snowden have caused a significant or at least some increase in the organization’s level of concern about insider threats within their organization. A similar percentage (88 percent) believes the risk of privileged user abuse will increase or stay the same over the next 12 to 24 months.
There are few quick fixes for mitigating insider threats. The job at hand for organisations looking to minimise their exposure to compliance failure is to construct a strategy that adopts a multi-year, multi-dimensional approach to this challenge.
The objective is to build a security and compliance culture. Similar initiatives for health and safety have become the mantra for engineering and manufacturing companies. These changes in employee and contractor behaviour only came after significant effort, resources and time had been spent.
A fully resourced user awareness campaign, complete with passive activities such as posters, newsletters and awareness days and combined with activities like compliance policy automation and classroom training, is the only way to change user behaviour over time. Such an active awareness regime in turn helps transform an organisation into a business that incorporates Information Assurance as part of its “DNA”. All of the critical requirements of Information Security, from dealing with the evolution of social engineering threats to mobilising staff in the case of an infrastructure disaster, require that employees and 3rd party partners be in a constant state of readiness. Ultimately, properly funded awareness campaigns have the effect of maximising organisational efforts at avoiding data breaches and compliance failures. Similarly, structured approaches reduce resource waste that arises from a haphazard approach, thereby producing the highest return from governance investments.
Strong unity of purpose is created by involving users and 3rd party partners in a strategic initiative. People recognise the implications for themselves and their colleagues when they see the organisation co-ordinate resources in this manner. Employees hoping this will not touch their daily working lives will be caught in the momentum of the awareness campaign and inevitably adopt different personal postures toward Information Assurance than before.
A successful user awareness campaign will facilitate disciplinary or legal action against users or 3rd party partners who deliberately break the rules of engagement (ignorance is no longer a defence). Moreover, building a strong IT Security culture signals a the company’s commitment to existing and potential customers. Increasingly, many large customers are placing penalties for information loss clauses in their vendor contracts, which is another reason why a data protection strategy is a sound financial investment.
The risk of a data breach, business disruption or compliance failure in today’s modern business environment is only too apparent in terms of cost and reputational damage. As a result, IT Security awareness campaigns must grapple with the major determinant of these outcomes – people. By changing the security and risk culture, an organisation can significantly mitigate the risks associated with these types of incidents.
About MetaCompliance
A fast-growing UK technology company, MetaCompliance has become the market standard for best practice policy management and information security awareness technologies. With its International Headquarters in London and its software development center in N.Ireland, MetaCompliance has a clear vision of making Compliance and IT Security awareness engagement easier for organisations through the development of innovative enterprise software.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.