Shortly before the chaos of Infosecurity Europe, I joined David Emm, senior security researcher at Kaspersky Lab, for lunch in a lovely quiet gastro pub in the Oxfordshire countryside.
Whilst I frequently publish Emm’s quotes and photos in the magazine, we both agreed that this was most likely the first time we’d met properly in person, and I’m glad we did.
If I was to pick the single most significant thing that I took away from our discussion, it would be this: that Emm believes that awareness, not money, is what the UK government needs in order to advance the information security movement in the UK.
“The UK government’s entire cyber security fund strategy is £650m - but raising business awareness is really what’s important. There have been a lot of new government initiatives which raise the profile of information security. Isn’t that the main point?” he asks, rhetorically.
We talked about law enforcement’s role in cybersecurity, and Emm was inherently positive. “Law enforcement are getting more involved, and cybercriminals will gradually be held more accountable”, he said. “Law enforcement is well experienced in dealing with cybercrime, but less so in handling targeted attacks”, he told me thoughtfully.
Back to awareness…Emm has a call to action for both private and public organisations; one which I believe makes complete sense. “We need more awareness campaigns for consumers. Raised awareness in the consumer sector will impact employee behaviour within their business. Ultimately, it’s the same people”, he said. He referenced the drink/drive campaign as an example. “It’s about awareness, not training. Businesses are missing a trick: Make it matter to them as a person, teach them to be safe at home, and reap the awards at work.”
When training goes wrong…
Asking new starters to complete information security training is “the worst possible idea – what bad timing”, Emm exclaimed. “That’s the time where they’re thinking about where the toilets and canteen are, not the information security policy.”
A second error frequently made by organisations is putting the ‘tecchies’ in charge of awareness and training. “They can’t adequately communicate the problem. The key is making the message appeal to the audience.” The marketing department, suggests Emm, has the skillsets required to adequately carry out awareness campaigns.
The importance of awareness should not be under-estimated, argued Emm, as although today’s breaches and attacks are all very sophisticated, the starting point is almost always “someone clicking on something.”
Education should start young, said Emm. When I pressed him for an age, he said 5. “We need to be educating children about security, social media security and programming as soon as we possibly can. We don’t want systems of the future to consider security only as an add-on.”
The government, Emm told me, are aware of the importance of the right computing education and there is “valid concern that the current curriculum won’t deliver it”, he said. At least it’s on their radar…
David Emm, a pleasure to finally meet you.