Brian Honan asks why the most critical part of an IT strategy tends to be the most ignored, and suggests how to solve the problem.
Like a chain, the strength of any information security management programme is only as strong as its weakest link. Very often that link is people. People unknowingly click links in emails or open attachments, they choose insecure passwords and in some cases share those passwords with colleagues, they fall victim to clever – and not so clever – social engineering attacks or they simply bypass your security controls because they want to get the job done quicker.
The attack on Google’s offices in China earlier this year is a prime example of how an unwitting staff member can undermine all the security controls that are in place. One reason the attack was successful was due to a staff member clicking on a link in a phishing email directing them to a website set up by the attackers, which then downloaded malware onto the employee’s computer. From there the attackers were able to infiltrate Google’s internal systems.
Yet despite repeated evidence that the human element is a contributing – and in many cases the only – factor in many security breaches, organisations still continue to invest in more and more technology while ignoring how to make staff more aware on remaining secure. There is little or no point in investing in an expensive encryption solution if staff still use weak passwords or write them down in the same place as the encrypted device.
Staff equals security
Studies have repeatedly shown that the biggest return for your information security investment is in training staff to be more security aware. The challenge is ensuring the awareness programme you put in place is suitable for your organisation and for your employees.
As security professionals, we often take for granted that people understand or appreciate the security risks that face our organisations. While security professionals might like to think that everyone takes information security as seriously as they do, the reality is not the case and that people are more concerned about getting their job done as best as they can. If this involves taking data home on an unencrypted USB key so they can work on it over the weekend or downloading a file onto their PC without checking it for computer viruses, then that is what they will do.
To create a successful security awareness programme, security professionals need to ensure what they put in place is appropriate to their organisation and engages at the right level with staff. This can be a major challenge for many security professionals as their expertise is focused more on technology rather than on how to engage with people. But there are a number of steps that they can take to ensure their security awareness programme is successful.
How to implement a security awareness programme
Firstly, ensure there is senior management backing for the programme. Without the financial and managerial backing from the executive suite it will be very difficult, if not impossible, to get people engaged in the programme.
Secondly, understand the business the organisation is in and what the unique challenges it faces are. This need not necessarily be a complicated process but can be simply achieved by engaging with your peers in other parts of the business. Meet with the management in various business units to discuss with them what their unit does, what its key goals and drivers are and the challenges it faces. Nor does this have to be an overly formalised process; it could be achieved quite simply by having coffee or lunch with those key people.
You should then develop your security awareness programme based on the feedback received. What you will probably find is that not one size will fit all. You may need to tailor the type of awareness programme you put in place for people working in different areas and levels of the organisation. For example, those who work with sensitive data such as HR, payroll and customer services may have their programme focusing mainly on privacy issues, whereas the programme for those working out of the office, such as sales, would focus on mobile security.
How you deliver the key messages within your security awareness programme is something you will need to determine. The primary challenge will be making people care about a topic which is alien to them. Bombarding people with presentations and brochures may not engage them effectively enough to ensure the key messages are retained.
One successful way of overcoming this challenge is to coach the security programme in language and scenarios that people will understand and appreciate. If you can create learning scenarios which appeal directly to the audience, the chances of your information security programme adhering greatly increase. Tapping into people’s concerns about the security of their home PCs is often one way to make them more aware of the online threats posed against them and how these threats are also applicable to their work environment.
A key point to remember is to keep the language in your awareness programme simple and non-IT focused. Having the wrong language, or using IT buzzwords, can result in people simply not listening to the message and could also result in people looking at information security in a negative light.
To ensure the successful delivery of message you should engage with your marketing and HR departments. Your marketing department can assist you in how to package your security awareness programme so that it appeals more to the intended audience. The human resources team is also an excellent ally to assist you in publicising and reaching out to all staff. Not only can they help you keep track of who has attended the various training courses, but they may allow you to utilise regular staff communication media such as the company intranet, staff updates or staff magazines.
An effective security awareness programme can be a crucial link in the security chain that protects your organisation. Those responsible for IT security need to make sure that enough time, money and resources are invested into it to prevent it becoming the weakest link.
By Brian Honan
Brian Honan is founder and CEO of the Irish reporting and information security service (IRISS).
