Cybercrime is one of the greatest challenges facing the business world today. The past 18 months have witnessed devastating data breaches at the likes of Sony, JP Morgan and Target. No amount of investment in technology, it seems, can prevent a cyber attack.
Technology, of course, is hugely important in helping organisations combat and respond to threats, but that on its own is not an adequate defence barrier. Any business that does believe that is likely to find itself among the aforementioned list of casualties.
Meanwhile, CIOs and CISOs are all too often flooded with information on the latest zero-day vulnerabilities and malware viruses threatening to break through their defence parameters. How about looking a little closer to home?
Of the 450 data breaches reported to the Information Commissioner’s Office (ICO) in the fourth quarter of 2014, 102 were down to loss or theft and 127 were down to data inadvertently posted, faxed or emailed.
When data breaches are the result of an external attack, it is often the ignorance of employees that is exploited – whether it be clicking on an email link they shouldn’t open or downloading an unapproved app.
So clearly more needs to be done to educate and train employees on the consequences of their actions.
‘Often, leaks occur because employees are unaware that the way they manage files is insecure,’ says Keith Poyser, GM EMEA at Accellion. ‘Employees have got to be trained in the best practice for securing their sensitive data, but it cannot stop there.’
Companies must be sure that they are in constant communication with their staff when it comes to software updates, changes in policy or deployment of new solutions. It’s when communications break down that the system fails.
Certain industries, such as defence, technology and finance, are already investing heavily in securing the human element of business, but others are dangerously behind.
‘Near the bottom I would put industries such as education, hospitality and retail,’ says Lance Spitzner, training director at the SANS Securing The Human Program.
It’s fair, then, to assume that, generally, organisations focus too much on technology and not enough on internal education.
That’s not to say that technology is futile – far from it – but CIOs must not fall into the trap of thinking one IT deployment will stop humans doing things the way they like to do them.
The business world today requires technology that enables employees to access their sensitive data anytime, anywhere, on any device, and without the fear of becoming a security threat.
Ultimately, an organisation can give employees the most secure devices in the world, but if it tries to limit them they will undoubtedly find a way around it. That common scenario can very easily cause the breach.
‘CIOs and CISOs must find a balance between providing the best enterprise-grade tools to make their workforce both secure and productive, and implementing a training programme that keeps them on the straight and narrow,’ says Poyser.
According to research by Cisco, employee behaviour is in fact the second greatest source of risk to data security – the first is cybercrime – emphasising the growing need for an increased focus on internal threats.
The study revealed that 35% of people expect their company’s security policies to protect them, while only 42% believe it is their responsibility to keep company data safe.
‘Implementing technologies that safeguard the business from malicious intent is vital,’ says Terry Greer-King, director of cyber security at Cisco UK&I. ‘But training employees to understand they too are liable on an individual level is equally important.
‘Since security has traditionally been viewed as an IT issue, as opposed to a business one, many organisations have been slow to move from securing things to securing the actions of people.’
The weakest link
For organisations with huge staff counts, training them all can seem daunting. But however difficult a company-wide culture change may sound, putting off such an initiative can have dangerous consequences.
Cyber attackers have identified the human as the weakest element, and will continue to target them until organisations invest in training people.
Just like an operating system (OS), people store, process and transfer information – so CIOs should view them in the same light when it comes to security.
‘Most organisations have done nothing to secure the human OS,’ says Spitzner. ‘Then we stand around and wonder why people continue to get hacked. It’s our fault, not theirs. Until organisations establish awareness programmes, this human failure will continue to happen.’
It is important that all employees understand both their part in the security of the organisation and how to interact with those who might be more directly involved.
People are very good at spotting unusual behaviour, and this can be used to identify threats, but for this to work people have to talk.
‘There needs be a clear channel of communication between those involved in security and those in the broader business, and in some organisations this needs to be improved,’ says Richard Brown, director of EMEA channels and alliances at Arbor Networks.
An effective training programme must be continuous, interactive and available to all employees. It should start when an employee joins the company as part of the onboarding process inside HR, and be reinforced by frequent refresher courses that keep up to date with the new and emerging security threats.
CIOs should invest in interactive training that involves a level of penetration testing and real-life scenarios, and look to mandate this for all employees as it will have a far greater impact than a pre-recorded, non-compulsory online session.
The programme must also include all staff levels. While managers and directors may be the only ones directly dealing with sensitive information, it is equally important for a PA not to click on a phishing link as it is for a CEO.
‘Companies need to keep in mind that any employee can be targeted by hackers,’ says Paul Briault, senior director of security solutions at CA Technologies. ‘Therefore, the most effective strategy in combating cyber threats is ensuring equal training and education for all.’
Brown adds, ‘By communicating from the C-suite level downwards throughout the business, all employees will understand their role in helping to protect the company.’
The cost of rolling out such a programme can vary greatly depending on the size of the programme. However, many elements, such as training in context and storytelling or setting up a cyber security awareness site, can be implemented in-house at relatively low cost.
An investment would be required to implement the simulated attack scenarios, training by learning and gaming software. But many companies that specialise in delivering these solutions offer a per-user licence, so the initial costs can be fairly low.
‘A major challenge in rolling out a security initiative is getting everyone to buy into it – it has to be a mandate from the C-suite,’ says Rashmi Knowles, chief security architect, EMEA at RSA.
‘One of the basic steps that must be completed before starting a training and awareness programme is a clear understanding of the organisation’s assets and how these are protected.’
It’s necessary to understand different employee perceptions and behaviour in order to create an internal culture that is security savvy.
Behavioural research by Cisco identified four behavioural profiles that are useful for effective targeting when it comes to security policy.
The ‘threat-aware’ and ‘well-intentioned’ try to remain safe while online, yet do not completely understand how their behaviour compromises corporate security.
The more troubling profiles, and those that must be addressed directly, are the ‘complacent’ and ‘cynical’. These include those who believe security is overhyped, and choose to ignore or, worse, actively circumvent already enforced security measures.
‘All employees must be educated, encouraged and equipped to take responsibility on an individual level,’ says Greer-King, ‘be it steps as simple as patching or using effective passwords.’
Whatever approach an organisation chooses to take, it’s essential that they don’t ignore the human dimension of security. If staff don’t understand the dangers, the best technology in the world will only be of limited value.
One of the biggest challenges is educating the three key stakeholders involved in cyber security decisions: engineers are often afraid of more security measures in addition to malware; IT directors understand the importance of security but are not allowed to make industrial infrastructure decisions; and CEOs fail to see why they should invest in cyber security.
In this triangle of stakeholders, cyber security is typically lost and, in many cases, split between teams.
‘Companies often put policies in place and have staff sign the agreement, but then fail to make sure that these are followed up with regular awareness and education sessions that make imaginative use of various tools to ensure security is always front of mind,’ says David Emm, principal security researcher at Kaspersky Lab.
While training the masses is essential, mutual understanding and partnership between these three groups is the most critical component to any successful cyber security programme.