Companies must ensure that their staff understand the reasons behind security policies and support them, rather than just dictating them from on high, a government consultant said at Secure London 2005 on Tuesday.
Paul Hansford, class consultant for GCHQ and senior consultant at Insight Consulting, said that many security procedures fail because staff don't understand what their company is trying to do.
"It is not enough to get staff to literally 'sign up' to procedures — they must fully appreciate their purpose," he said.
He recalled an apocryphal story illustrating the point: "A colleague went into a government agency and at one cluster of desks saw a line of 'bobbing bird' toys. The system locked out the user if they didn't touch the keyboard for a certain length of time, and required them to re-input their password. The 'bobbing birds' were lined up next to everyone's computer so that they would tap the 'enter' key every 30 seconds."
The underlying beliefs of staff can be at odds with security policy, he said. "People tend to have a 'What's in it for me?' attitude. For example, some people may feel that it's fine to share passwords if it makes the business tick over, their attitude being that business is more important than security," Hansford said.
"Companies need to assess people's security training needs, which includes having to elicit how security 'aware' they are," he said. "Awareness is not just about education and training, but is also an appreciation of, and a motivation to support, an issue."
An IBM security expert emphasised the need to monitor personnel to maintain security levels.
"Personnel security is not just about initially screening and vetting employees, but it's also about monitoring the guy who might have personal problems," said Julian Lander, IT security programme manager with IBM. "If their work performance isn't right, they may be involved in drug or alcohol abuse, or if they have an overelaborate lifestyle — which I've seen in the past — that can indicate possible security problems."
Lander argued that security procedures need to recognise the human factor. "Security is about people. Speaking generally, the way to address the problem is by coaching, mentoring or counselling — all the soft skills that HR has. You have to work with HR to maintain a successful security policy," Lander said.
According to Hansford, security standards become harder to maintain as more staff work remotely - noting that more than half of all UK businesses currently allow staff remote access.
"As more staff work remotely, physical security is difficult to achieve. At the end of the day (employers and security professionals) won't be there, so procedural security needs to be got right," he said.
Talkback
This line; "An IBM security expert emphasized the need to monitor personnel to maintain security levels." is a big joke. IBM remote users connect to their VPN with a single password sign on. IBM does not monitor anything or anyone. One of these days you folks are going to wise up and find out IBM can't find their butt. Security is something IBM can't spell. All companies rely on the user to be accountable for their actions. Until Security developers and companies remove the burden of securing documents from users we are going to have security comprised. Larry Ellison said it best; "To reduce security breaches, businesses should encrypt their databases." He missed it slightly, as he always does. Those intinities that require security should encrypt all their documents. Why don't they? Its too darn difficult. You've got to make it easy for the user, if you don't, it ain't gona happen. One company I know has, they used the KISS (Keep it Simple STUPID) theory. Email me I will tell you the name of the company.
The problem is that what gets selled (or purchased) usually isn't that what works security wise. Because those that purchase or decide usually can't be really bothered with security (it's not what they get tapped on the fingers for if they get it wrong).
So perhaps security experts need to get a grip on the (internal) purchasing and decision making processes first.
After all , security is also about keeping bad things out and getting good things in.