Education, education, education

Kevin McLean, Ricoh
Kevin McLean, Ricoh
Martin Smith, The Security Company
Martin Smith, The Security Company

When the reasons behind the seemingly endless raft of recent data breaches are explored, it becomes clear that every single one of them resulted not from a technology failure, but from human error.


This statement is upheld by the findings of the annual Information Security Breaches Survey 2008, undertaken for the Department for Business, Enterprise and Regulatory Reform by PricewaterhouseCoopers. The survey indicates that nearly two thirds of the worst security incidents experienced by UK organisations of all sizes over the last year had an internal cause.


Carelessness and thoughtlessness

“Most employees are perfectly happy to follow the rules, but you have to tell them what they are,”
Martin Smith, The Security Company


 According to the survey, almost 50 per cent of all companies have suffered an information security breach, and the criticality of such events is increasing. Nonetheless, despite four fifths of these companies considering the issue high or very high priority for senior management, they still chose to spend an average of just seven per cent of their IT budget tackling it.


So what’s going on? Martin Smith, chairman and founder of consultancy The Security Company, believes that one of the problems is that the entire industry has relied on technology fixes for too long. “People only tend to address what they’re comfortable with and ignore that which is difficult” he says.


“There are three elements to information security: technology, which is mature and mainly sorted; processes, which are in place to a certain extent but not as good as they should be; and people, which are generally completely forgotten about. But the fact that we’re failing our business masters means that we now need to move on and out of our comfort zone to address this issue,” Smith says.


Malicious security incidents however are rare, with breaches usually the result of “ignorance, carelessness and thoughtlessness” adds Smith, “Most employees are perfectly happy to follow the rules, but you have to tell them what they are,” Smith says.


Back to School


Staff training and education is therefore paramount, not least in order to raise awareness of the value of data and the role that each individual in the organisation has to play in safeguarding it.


But says Mike Maddison, head of security and privacy services at consultancy Deloitte, while awareness training may be making its ascent up the management agenda and does not generally involve a huge capital outlay, it tends to be the first thing that is dropped, particularly during an economic downturn.


“It’s quite difficult to prove the value of training and it’s usually done badly, if at all. People want to do it, but they struggle with how to do it effectively. Most don’t have a formalised approach so they can’t measure success, which means that they adopt a ‘fire and forget’ approach and think it’s embedded when it can’t be,” he says.


To be truly effective, such awareness simply has to become an intrinsic part of the organisational culture, as Tim Watson, head of the forensics and security group at De Montfort University, points out: “If you’re not changing the culture, you’re only going to be partially successful at best.”


The Security Company’s Smith agrees. He indicates that that there are 12 things (see box) that if done on a daily basis would eradicate the majority of security breaches, but that the real problem is “getting senior managers and staff to commit to it”.


An effective way of doing this, he says, is to identify the key behaviours that need changing and to explain to personnel why things should be done differently. This entails providing concrete examples of the benefits and the negative consequences of not following advice. Sharing passwords, for example, is one piece of advice often ignored.


“If you ask people to give you their house key, most wouldn’t dream of it, but if you compare that with passwords and say ‘they should be treated with the same care and respect’, most people will say ‘we get it now – it’s not a problem’,” Smith explains.


Before and after


Another essential part of the equation, however, is to measure awareness before and after change. This is possible by using surveys to test comprehension and/or by measuring the number of password renewal requests and incidents of tailgating at turnstiles. Education and training can then be repeated where holes still exist.


“The trick is to work at it over a prolonged period. Changes in behaviour take a long time – as long as two or three years. It requires time, effort and resource and it can’t be done overnight,” Smith says.


One organisation that has made concerted efforts in this area, however, is photocopier manufacturer, Ricoh. The company decided to go for global accreditation to the ISO 27001 information security standard because, says Kevin McLean, the company’s information security manager, it takes “reputation management and corporate social responsibility issues very seriously”.


A key element of the standard, which is based on a risk management approach, relates to personnel security and includes educating staff to protect information. The initiative was started in 2005 at each of the European, Middle Eastern and African businesses, which in total employ about 15 000 staff, a year after implementation at the firm’s Japanese headquarters.


McLean believes that behavioural issues are definitely the most important facet because, no matter how strong technical controls are, if someone wants to get round a system, they will. “Everyone makes mistakes, but by asking senior managers to set an example, creating champions, introducing awareness training and using carrots and sticks, it can generate significant process improvement benefits – and not just in information security terms, which can be a bit intangible,” he says.


Consistency and longevity


“Roughly I’d say that if you’re running below 150 staff, you probably don’t need a full-time person, but you do if you have 200 or above as this has to reach across the company,”
Kevin McLean, Ricoh



To embed such practices into the organisational culture, however, Ricoh has established a dedicated information security team of three to undertake planning and provide best practice guidelines, policies and training materials. Another role that McLean feels necessary is to act as a broker as “some security risks fall through the cracks in between departments” because business processes are not as consistent and seamless as they could be.


Each office, depending on size, also has its own information security expert who is either full-time or part-time. Their role is to co-operate with representatives from HR, facilities management and IT as part of a working group, particularly during the ramping up phase, which is likely to last for about six to nine months, but also afterwards for monitoring purposes to ensure a process of continual improvement. This is important because risk management and implementation is undertaken at the local level to cater to each unit’s specific requirements.


“Roughly I’d say that if you’re running below 150 staff, you probably don’t need a full-time person, but you do if you have 200 or above as this has to reach across the company,” advises McLean.


Another organisation that has gone for ISO 27001-compliance, meanwhile, is insurance claims processing outsourcer, Audatex. It started down this route in June 2007 to proactively cater to customer requests for detailed security audits and, after hiring consultants to help assess risks and develop a risk treatment plan, it set up a steering group.


This comprises information security manager, Paula Robinson, and the directors of each business unit: HR, finance, IT, development, commercial and marketing and communications. Members meet monthly to monitor the results of internal audits, review the risk treatment plan and establish new policies and procedures as necessary.


Change from the top


Such a body is essential, says Ross McEleny, IT services director at the company, because “If you’ve not got top management commitment, just don’t bother, as without that you won’t change the culture, people or behaviour. It’s a leadership thing and staff behaviour will only change if senior managers change theirs, as they’re role models.”


McEleny adds that having a project champion such as Robinson is also important. Institutionalising change and demonstrating continual improvement requires dedicated time and effort, he says.


Such efforts include bi-monthly newsletters to highlight progress as well as running awareness sessions. These have now become part of the induction process for both permanent and temporary staff at Audatex, but are fine-tuned according to background. Refresher events also occur annually and questionnaires are disseminated afterwards to test understanding, measure effectiveness and provide feedback in order to enhance subsequent meetings.


But to make best practice stick, McEleny believes that regular communications are crucial. “It’s a gradual process to change attitudes, but you have to involve people to ensure that there’s ownership. These initiatives may require a ‘top down’ culture and support, but it can’t work without ‘bottom up’ involvement too,” he concludes.


Ensuring Good Security Practice

(Source: The Security Company)

Staff should:


-          Where possible, protect all company data on desks, screens and other displays from being viewed by unauthorised people

-          Lock workstations when leaving unattended during the working day and log off at close of business

-          Always visibly display security passes while on company premises

-          Secure small items of equipment, laptops and personal items at all times

-           Secure all sensitive materials at the end of the working day

-          Dispose of sensitive papers securely

-          Establish a security routine at the end of the working day to ensure that all safes, cabinets, desks and workstations are locked and the keys secured

-          Report any security issues to managers


Staff shouldn’t:


-          Allow anyone to enter the premises through access control points unless they have an appropriate security pass

-          Tell anyone anything sensitive that they don’t need to know in order to do their job

-          Release any sensitive information (especially outside of the company) without the approval of their manager

-          Share their passwords – they should treat it with the same care and respect that they would the front door key to their house

-          Leave sensitive company material unattended on desks, in empty meeting rooms or in unlocked cupboards

-          Be shy coming forward if they have any questions about security or any suspicions about breaches or potential breaches in security



What’s Hot on Infosecurity Magazine?