Security breaches that can be traced back to the actions of one individual are not the fault of one "stupid" employee but rather a failure to educate and engage the whole workforce around the importance of good security practice, according to a leading academic.
Speaking at the Cyber Warfare 2008 event in London this week, Debi Ashenden, senior research fellow at the Defence College of Management and Technology at Cranfield University, said most companies overlook the importance of employee behaviour when it comes to securing their IT and information systems.
"Lots of organisations claim to have a culture of information security but in most cases I would say that this is not true and unfounded," she told an audience made of military and civilian IT security specialists. "We need to get end users on side. We can't ignore them anymore. We need to move away from command and control and interact with them."
IT security managers do not like the idea of empowering the end users and would prefer to be able to "lock them down" in the same way employees' PCs can be locked down, said Ashenden
Ashenden's speech made reference to several recent high-profile security breaches, including the exposure of 25 million individual's records by HM Revenue & Customs (HMRC) in November last year, and the loss of an MoD laptop containing the records of some 600,000 defence personnel.
Ashenden claimed that although breaches such as HMRC had led to a new focus on IT security, based around improving processes and technology, the incidents were down to human factors. "We need to find a way to make people streetwise and question core beliefs so they question this kind of behaviour before it's carried out," she said.
A survey from PriceWaterhouseCoopers (PwC) released this week appears to back up Ashenden's assertions. The results show the proportion of companies that have an information security policy has quadrupled over the last eight years.
Read this
Special report: The top five internal security threats
What should an employer watch out for?
However, one of the report's authors, PwC's Chris Potter, said having a security policy alone does not magically improve security awareness among staff. "What companies are realising is that increasing security awareness is only part of the answer. The critical issue is changing the behaviour of their people."
There has been a spate of high-profile security breaches dating back to mid-2007, which has led the government watchdogs to demand action be taken against organisations and individuals who fail to safeguard data and information. In a document submitted to government in January this year, information commissioner Richard Thomas called for the Data Protection Act (DPA) to be amended to include a penalty for data controllers "knowingly or recklessly failing to comply with the principles" of the DPA.
Ashenden claimed there has to be a fundamental shift in the behaviour of senior IT security professionals towards end users and the importance of understanding social interaction within companies.
"Most information security managers didn't come into the profession to get involved in cultural change and to talk to end users. They came in because they have an interest in technology," she said. "But we have to measure values, attitudes and perceptions of end users and aggregate the information to craft cultural change."
In response to those IS professionals who suggested there are no hard quantitative approaches to the analysis of attitudes and behaviour of employees, Ashenden claimed there are recognised ways to tackle this kind of analysis of end-user behaviour that are already used in social-science disciplines.
Responding to a question about the failure of software makers to build user-friendly security systems, Ashenden agreed that approaches such as pop-up warnings in operating systems were ineffective, as users eventually become conditioned to ignore them. She also referenced a quote that claims hackers often pay more attention to the human link in the security chain than security designers do.
The PwC survey is part of the 2008 Information Security Breaches Survey created on behalf of the Department for Business, Enterprise and Regulatory Reform. The final report will be launched in London at the Infosecurity show on 22-24 April.
Talkback
I agree that the "stupid users" should not be punished. Organisation with these threats and risks need to enforce the policies with security technology that removes the threat. Dont rely on a written document to protect vital information, sensitive information and business critical information. Get smart and give your IT and Security Managers the budget to invest in Gartner approved technology and save you from the embarrassment of possible breeches in the future.
Prevention is better than a cure.... Wake up and dont wait for a legal battle to make the move
This post has been removed by a moderator.
Hey Zeebs,
Thanks for your comments. Policies and the right tech are definitely an important part of the story but I think that what Debi was really pushing is that they are not the whole story by any means.
You can have all the rules and regs you like and robust tech but if you don't make the effort to find out how your users actually behave then your information securithy stratgy is going to have a big fat hole in it.
The problem, as she pitched it, is that not many technical managers want to roll up their sleeves and actually analyse human behaviour - they would rather just seek a tech solution as that is where they feel most at home. r.
Yeah i think that is the case but i was just stretching the point that if you had technology in place to enforce policy then the need to monitor the human activity would be reduced. Plus with offerings from companies such as IMB ISS and the ADS function which links in to the IPS and it allows to monitor employee's activity on the network and disable activity if anything seen as malicious is occuring. In organisations with 500+ employees its always going to be fighting a losing battle to educate the importance of security.
If they had an BS7799 or ISO 27000 security audit should prevent excessive permissions to junior staff. Implementing Role Based Accounting would help, but requires experience and knowledgeable staff to get it working. Selling the idea should be easy NOW that senior staff will have to start listening,but some of them cannot or will not under stand unless the outsourced IT company pays a penalty (BIG TIME) other wise the incentive is lost or not remembered.
If the staff are the week link then integrate the basic IT security into your annual Health and Safety tests done by ALL your staff. Ensure your HR departrment check all staff have completed the H&S, IT security, absic policy and compliance.
The policy should prevent silly events from happening, and staff awareness of what should NOT be done. but what about the mangers who break the policy and procedures and insists on the lowest cost or lowest work required. (Organ donor ?)
This post has been removed by a moderator.