Information security may have a high profile: surveys of chief information officers consistently rank security among the top five, and often top three, priorities. Recent information security incidents – such as the Sony PlayStation Network hack – have ensured that consumers, too, are aware of security online.
But when it comes to translating that general awareness into specific knowledge about how information security affects the business, and how to protect against such risks, less is being done.
According to the IT security practice at the Corporate Executive Board (CEB), just one to two percent of security budgets are spent on awareness. “It is not enough”, warns the CEB’s Jeremy Bergsman.
Spending on awareness, though, is a powerful tool. Research carried out by the CEB found that the “average propensity” for insecure behavior across US companies was 22%. In “lagging” organizations, it was as high as 40%. Best-in-class security awareness programs, however, can reduce this to just 12%.
Speculate to Accumulate
“The importance of information to businesses is increasing, and so executives increasingly understand the risk that exists around information”, Bergsman says. “That helps security executives remind people how easily things can go wrong.”
Translating that top-level understanding into good security practice among all of an organization’s staff requires a constant effort, as well as no small degree of creativity. The most effective security awareness programs eschew reliance on technical and procedure manuals, in favor of classroom and IT-based education, promotional campaigns, and even online games.
“Employees are often very receptive to the use of creativity, and their ability to recall and demonstrate secure behavior is significantly improved through the use of memorable communications”, notes Bernadette Palmer, senior communications consultant at The Security Company. This, she says, relates directly to the return on investment for a security education initiative.
The Security Company recommends CISOs follow these steps when designing a security education program:
|
In fact, some security experts believe that when it comes to education and awareness, it is marketing first, education second. “You have a product that is security awareness and you have to drive that into the customer base”, asserts Neil Campbell, general manager for information security at Dimension Data.
Professionalism Pays
Organizations also need to invest money, but also effort, into the way they communicate security policy and best practice. As Richard Harrison, a security specialist at PA Consulting Group, points out, an organization needs to ensure it has a solidly documented basis for its security set up. It is essential that education and awareness campaigns are at least as professional as the initial security audit.
“It’s not that you don’t need a security manual, it has its place, but you have to ensure that the whole organization has at front of mind that being aware of security is their responsibility”, says Harrison. There’s still a requirement for companies without a security policy or a manual to have these, but they are more for technical staff to reference. The second part [of good security] is education and awareness, and that has taken a different form.”
| "You have a product that is security awareness and you have to drive that into the customer base" |
| Neil Campbell, Dimension Data |
For Harrison, quality education and awareness materials – whether these are posters, PowerPoint slides or intranet resources – will repay their costs. Often the IT security function is not best-placed to develop such materials, so HR, marketing, or corporate communications should be involved to ensure that the materials are not just accurate, but look professional too.
“It is more important to provide nuggets of information, more often, in more innovative ways and in a targeted fashion”, he adds.
Security professionals who have implemented education campaigns agree that when it comes to raising awareness, less is often more (see case study: Warwick District Council).
Another key factor is ensuring leadership from the top. According to Harald Erkinger, a security consultant at Deloitte, it might be the chief information security officer’s responsibility to drive awareness and deliver security education, but if senior management back the security awareness campaign, it helps to ensure that it is more than simply a box-checking exercise.
“If you include security in team briefings and have direct line managers speak on infosec, or have senior management include it in messages they send out, that sets the tone and highlights it as an important issue that everybody needs to pay attention to”, he affirms.
Assessing Automation
In some organizations – especially larger companies, government bodies, or firms operating in highly regulated environments – there will be a need for some automated testing and assessment. At PA Consulting, Richard Harrison points to the use of automated security tests for new joiners to corporate networks.
These tests are also used in areas such as banking to ensure PCI-DSS (payment card) compliance, or for compliance where staff handles customers’ personal data. But while automated testing might be of use for companies’ HR and disciplinary procedures, on their own they might do little to improve security.
“If the policy has been made clear to employees, it is much more powerful when it comes to enforcement”, says Dimension Data’s Campbell. “Although computer-based training can be useful, much of what’s learned can go by the wayside when things get busy.”
| "If you include security in team briefings and have direct line managers speak on infosec…that sets the tone and highlights it as an important issue" |
| Harald Erkinger, Deloitte |
“We are seeing more use of computer-based learning”, agrees Deloitte’s Erkinger. “But if they are simply used as ‘tick in the box’ to keep certifications or for audit, they are not as effective. Computer-based learning is most effective when you understand your key audiences and use it to provide them with relevant information.”
Businesses are also using tools, including computer-based learning, alongside increasingly sophisticated, automated tools such as data loss prevention technology. The issue is that these tools on their own are rarely enough.
“Automated protection is not going to deal with, for example, a spear phishing attack”, warns Mark Waghorne, head of KPMG’s I4 security practice.
“It’s possible that nasty code in a PDF won’t pick up on virus scanners. There are a lot of tools for protecting corporate information, but awareness should be helping by telling people to look for things they don’t expect to see. Would you really expect to receive an email from someone you knew 12 years ago?” Waghorne suggests a drip-feed approach to security awareness is likely to be more effective than a single, one-off exercise.
“A well thought out awareness program has to have a strategic underpinning: What are we trying to achieve and how do we achieve it? Who are we aiming our messages at and do we need to tailor them for different user groups? For messages to stick, there has to be some context around them”, he concludes.
Warwick District Council is a local authority in the Midlands region of the UK, serving a population of just over 120,000. As a district council, the organization deals with issues ranging from town center management and planning to housing, transport and leisure services. Education and social services are provided by Warwickshire County Council. In some ways, according to Lee Millest of the council’s ICT Services’ infrastructure team, the council’s structure does make it easier to set and enforce security policies. The authority only has a relatively small number of users who need to connect to the GCSX (UK government secure extranet) network. Nor does it handle large amounts of personal data. “Leakage of data is not a particular issue”, says Millest. “We are not involved in social services, education or health, so although we do have to maintain some individual confidentiality, most council business is in the public domain. So we have security policies that are appropriate to our services.” The council uses a number of automated tools, such as web scanning technology from vendor Clearswift, to support its enforcement of privacy, security, and acceptable use policies. This, says Millest, is there “to prevent simple mistakes”. But the council also recently revised its security policy, and as part of that exercise, drastically reduced it. A 20-page set of rules was replaced by one half that size, and the council is placing a new emphasis on using sub-policies that are only handed out to people who need to know about them. “Our policy on payment card data is only now given to people handling card payments”, Millest explains. Policy documentation has also been simplified, so that each policy document contains bullet-pointed key messages. “The idea is that, if you read nothing more than the headlines, you will still read the six to eight bullet points.” The objective is, Millest says, to make good security as simple as possible: “it is about common sense, and plain language advice”. The council has also supplemented its security documentation and technical protection measures with direct education. The council’s in-house IT trainer, for example, has run courses setting out the appropriate use of social networking sites for senior officials and elected councilors. “There is a blurring of the lines between council and private use of IT, and we have to keep our education around areas such as social networking under review”, Millest explains. |