Admit it; one of your major concerns when you’re tossing and turning at 2 o’clock in the morning is that you’ll be hit with some form of data loss, an IT failure, or some other operational disruption. Such incidents have an enormous impact on the IT department – both in terms of perception and reality.
In the cold light of day, there’s still a view that information security will always cost too much and provide too little protection.
A complex issue
It’s not difficult to turn this issue into one of immense complexity – firewalls, penetration testing, ethical hacking, forensics – the buzzwords never stop. But what I’m arguing here is that you can make enormous progress by taking two simple steps; the first is to ensure that a robust security awareness programme is in place, and the second is to move beyond security awareness and create a risk conscious culture. The goal is to ensure that everyone in the operation must be willing and able to accept and manage his or her own risks.
It’s a sobering thought that every disaster that ever took place can be traced back to a skills issue – from the credit crunch to the Titanic and back as far as the Bubonic plague, it’s a truism that it wouldn’t have happened if we’d had the right skills in place. So if a colleague is hit with a data loss, smile sagely and say “It’s all down to skills!” But the real issue is “Which skills?” And this will depend on what you’re trying to achieve with your security awareness programme.
When you cut to the chase, the fundamental purpose of your security awareness programme will either be one of culture change, or of skills development. In a culture change programme you’re looking to create a security/risk aware enterprise that sees risk (for example data loss) as a pervasive threat that an ever-vigilant mind-set can most probably avoid.
In such a programme you’ll be covering issues like the security incidents exposed by the media, security risks involved in the everyday use of IT, and issues like social engineering. In addition, you’ll probably want to highlight the exposures that arise from an issue and the personal consequences to them of their involvement in a security failure.
In addition, you’ll want to find ways of re-enforcing the message – unlike “hard skills” the individual’s ability to be able to retain a high level of awareness will atrophy as fast as water from a leaking canal bank!
A more detailed skills development approach to security awareness is based on the specific skills and behaviours that you’re seeking to develop. In such a programme you’ll be looking at areas such as the establishment of passwords that are robust, the responsible approach to e-mail, instant messaging and involvement in social networking sites, safe use of the internet, and ways of protecting sensitive information. And the biggest one of all – ways of ensuring the security of devices containing data.
This isn’t content that needs to be taught in a formal way, for example, in a classroom. A learner’s time off work is always a critical issue, so look for ways to embed training of this type into the work that people are doing. Short, sharp injections are the way to develop this programme, backed up by a weekly focus on a critical issue and support it with floor-walking and role model identification.
If you’ve already implemented such a programme there are a series of simple tests that you can follow to see if it worked; for example:
- Is there evidence that information is being retained/destroyed in accordance with organisational guidelines?
- Are individuals aware of protection issues relating to the types of information with which they’re dealing?
- Is there evidence of clean desks?
- Test a few passwords to see how robust they are.
- Are the controls on malicious content working effectively?
- Are individuals able to recognise a wide variety of security threats?
- Are they aware of social engineering approaches, and do they know how to handle them?
- Do they know what to do when a threat arises?
Risk conscious culture
It’s time now to move beyond security awareness and into a risk conscious culture. And whilst the IT department can provide guidance, it will be a disaster if it’s seen as an IT initiative. The simple fact is that risk can’t be effectively managed unless it becomes the responsibility of the managers within the organisation; when it is, you’re well on the way to creating a true enterprise risk culture.
You’ll no doubt have individuals that are specifically tasked with areas such as security, business continuity, disaster recovery, compliance, data protection and freedom of information; but they can’t do it alone. They know that, without the support of everyone in the organisation they’ll be spending most of their time fighting fires.
Getting managers engaged is a critical step – and it’s important that the experts adopt the right style. For example, if there’s a request for a new service or new form of connectivity that clearly brings a threat with it, encourage a “yes, but ...” approach rather than a “no, that’ll be really difficult” response.
The “no” response puts the risk manager into the position of an inhibiter/controller. On the other hand, the “yes, but” approach is supportive and positions the risk manager as an enabler/counsellor with the best interests of the manager at the heart of their response. Going as far as saying: “I wouldn’t want you to put yourself in the position...” is the 21st century equivalent of Sir Humphrey’s “A brave decision, minister!”