Comment: Building a Risk-aware, Cyber-secure Culture

"Security must be taken seriously and woven into the entire organization, with a culture that is built on understanding and trust", says IBM's Chris Nott
"Security must be taken seriously and woven into the entire organization, with a culture that is built on understanding and trust", says IBM's Chris Nott

Just last November it was reported that 132 UK local government councils have admitted losing personal data on more 1,000 occasions in the previous three years, leading to staff responsibility and data handling being questioned. In another incident, Britain’s most senior counter-terrorism officer was forced to resign after revealing a secret document to photographers on his way into a meeting at Downing Street. This leak necessitated bringing forward an operation to foil an alleged terrorist plot. Both of these examples show that neither the use of technology nor IT departments alone can achieve desired levels of security.

It is necessary to build a risk-aware culture, one where values, attitudes and behaviors are the foundation of the day-to-day life in an organization. It is one where being careless about security is not acceptable. Changing culture to be more risk-aware cannot be achieved overnight.

The exposure of secret and sensitive documents highlights the need for us all to understand the value of an organization’s assets and the risks they face. Only then can individuals buy-in to their responsibilities to protect them.

Guidelines and education for all staff are essential and help minimize inadvertent actions that can lead to security breaches. The creative process for these programs must be inclusive, otherwise there is a risk that measures implemented will be negated by decisions taken under day-to-day business pressures. Such guidelines supplement, rather than replace, company codes of conduct that give clarity on prohibited activities.

Over time awareness will begin to grow and behaviors change, when individuals understand that safeguards make sense. Appropriate document handling becomes routine: fewer confidential documents will be left lying around offices, at home or in hotel rooms. People won’t read them – hard copies or digitals – openly in public places, such as on a train. Document and media disposal becomes conscious.

Such change needs to be led from the top of the organization. It is no good putting in place measures for confidential document handling if locks on cupboards for storing them are broken, if site security fails to validate the legitimacy of visitors, tailgating is tolerated, or senior executives don’t wear their passes.

Security must be taken seriously and woven into the entire organization, with a culture that is built on understanding and trust. This includes mechanisms being put in place for policing and to track progress. Policies and processes must guide an organization’s security-related practices on office access, media handling, device use, internet access, application design and more.

Back in 2007, it was reported that the UK Government lost 25 million child benefit records. Names, dates of birth, addresses and details of all 7.25 million associated bank accounts were reportedly on CDs sent by unrecorded delivery. More than two weeks elapsed before management was made aware of the data loss. An open culture encourages security issues to be raised as they occur, allowing action to be taken immediately to reduce adverse impacts.

The mantra of ‘Think before you click’ on links and attachments in emails has long formed a part of education in many organizations. However good practice extends to reviewing the content and distribution lists of what is being sent. Use of approved communications and storage mechanisms for company business lowers the risk of disclosure of confidential information. This includes email, social media, backups, storage media (including sourced storage). Guidelines on social networking use helps protect both personal and company information, including casual comments and impressions formed within the organization.

A secure culture safeguards passwords, avoids sharing, and encourages using a variety of different passwords – they are valuable to attackers, criminals or otherwise. Privileged access to applications and systems demands higher standards – following additional security practices – individually managed and monitored based on business need.

Having a risk-aware culture has become more important with the recent increase in cyber threats, which are increasingly sophisticated and complex in nature. Organizations are also seeking to exploit new technologies, including efficiencies and innovations in mobile and cloud computing, but they bring additional risks that demand constant vigilance. While progress is being made in several areas of internet security according to IBM’s X-Force team, its '2011 Trend and Risk Report' suggests attackers today are being forced to rethink their tactics by targeting more niche IT loopholes and emerging technologies (e.g., social networks and mobile devices). These challenges cannot be tackled in one step, but rather via a continuous process to learn, monitor, analyze, decide and respond. It is also a balance of people, process and technology.

Technology can be used to give an up-to-date and coherent view of what is happening, protecting enterprise systems and networks and giving them the visibility they need. It is a key capability in defending against the threats and managing risks to an organization’s critical assets, its intellectual property and personal information. Automated collection, correlation and analysis of information from user activity, data access, applications and infrastructure use can provide organizations with the security intelligence to detect and deal with unauthorized or suspicious activity.

Technology helps encourage and enforce behaviors in line with an organization’s security policies. Education about the use of technological controls and awareness of risks to assets contributes to the attitudes that motivate acceptance of technology for its intended purpose. Underlying values and assumptions then evolve, helping to build a risk-aware, secure culture.


Chris Nott is the lead architect in the IBM Software Group for UK Public Sector and author of Cyber Security: Protecting the Public Sector. He is an advocate of increased professionalism in the IT industry, and his leadership with the BCS and IET was recognized when IBM won the 2009 UK IT Industry Award for Promoting IT Professionalism. In 2011, Nott became the vice chair of the UK & Ireland affiliate to IBM’s Academy of Technology.

What’s Hot on Infosecurity Magazine?