The cliche remains the same - when it comes to security, people are the key

Profile picture for user mbanks By Martin Banks June 10, 2019
Summary:
Businesses spend billions on the stuff, and much of it does a fair bit of good, but they would do better – and save a fair slice of money – by looking to people rather than tech investment.

There was an interesting paradox to be seen at last week’s InfoSecurity Exhibition and Conference at London’s Olympia Exhibition Hall.

Here was the great and the good of data and cyber-security technology in the form of most of the biggest names in that industry. It was possible see a case for any major enterprise or organisation to pop round a dozen or so of the exhibition stands and happily spend upwards of £10 million on technology to solve any number of security problems.

It was also possible to speculate that, in much the same way as has happened almost continuously over the years, the result would be no real resolution to the escalation in security issues, and the increase in staff needed to manage it all. As someone said in passing at this year’s show: 

Add three new security tools and add another team to configure, optimise and manage in operations in co-operation with (and sometimes against) all the other tools already on hand.

Yet up on the gallery floor of Olympia, on the Keynote Stage of the conference, one of the most popular sessions of the first day was a panel session stressing that the weakest link is nearly all security failings are to be found amongst the staff, and much of that problem can be cured – or at least drastically reduced – without having to invest a penny in any of the tools and technology on show down on the exhibition floor.

It's about people, stooopid

The session on `Building Brand Infosec: Engaging Employees to Drive Secure Behaviour’ addressed one of the most important and fundamental issues in the world of cyber-security. Basically, you can spend as much money as you like on all the whiz-bang security technology you can lay your hands on – and to be sure there was plenty of it on display on the exhibition floors – but if the people don’t buy into the ethos of being secure, and what that entails, it is all money down the drain.

It has to be observed that the basic underpinning of most of the sales messages to be seen at the show could be summed up as `buy this and it’ll all be wonderful’, whereas this one session demonstrated that such an approach missed the heart of the matter by a country mile.

It consisted of four 'lightning talks', five to 10-minute presentations that together set out the theme. First up was Linda McCormack, Head of Internal Communications at Anglian Water Services. As she observed, staving off water shortages is a perennial problem, and one where the loss of IT services for any reason could cause significant damage. The company realised there was a complementary relationship between having the necessary technology solutions available, and having staff understand why it was all necessary. As the communications specialist it fell to her to get that message over.

Her goal became to provide highly targeted communications to the staff that identified the real security risks involved in straight forward ways:

Basically, this is about being aware that internal communication is crucial, and that it doesn’t just happen by itself.

The key then is to engage the staff in the subject, and keep them engaged. Her tactic was really quite simple and straight forward. First, give the key security `players’ -  hacking, phishing, viruses etc - cartoon personalities and then create a Top Trumps style of game that all staff can play together. Each of those players was given superpowers, but there were then also tools with which the staff could defeat those powers.

She also devised ways in which to attach such games to events such as Christmas – where staff to get small presents – and Halloween, when they could be beset by `ghostees and goulies’ motifs around which storylines were then built.

The results, she said, have been very positive with, for example, a 200% increase in potential phishing emails being reported to the IT team for investigation/removal from the company’s systems.

Flavius Plesu, who until recently was Head of Information Security at the Bank of Ireland and is now a founder/director of OutThink, a company that specialises in human risk protection, was next up. Much of the company’s work on is based around the academic work and findings of Angela Sasse, Professor of Human-Centred Technology and Director of the Science of Cyber Security Research Institute at University College London on the individual’s propensity to behave securely.

Has said that the company’s researches suggest that 90.8% of security incidents have their basis in human behaviour and only 9.2% are purely technology-based attacks. It is the humans that let the technology in to begin with through phishing exploits and similar approaches. So the first component that has to be built into a business is security awareness amongst the staff, and they have to build self-efficacy in this area. More to the point, business managers need to be aware that some of their own requirements on staff then make this really quite difficult:

Even if they want to be good employees it is often very hard for them. There are often too many passwords to deal with and too many operational and business process restrictions that cost staff time and put them under unnecessary pressure. They are therefore often ignored by staff in order to get their job done.

Even with training, he observed that their behaviour may not change much, if at all. So the key need is to increase their intention to comply, while reducing the aggravation of actually doing that, or diminishing their capabilities at doing their job.

Making staff the heroes

Over at the International banking giant, HSBC, the company’s CISO for Europe and the UK, Paula Kershaw, has taken the route of turning security knowledge into an exercise in generating individual status for staff. This is with the introduction of what has become known as the `Cyber Shield’ programme. This is where individuals can become `Cyber Shields’, gaining some status for their security knowledge and practice, and also becoming a local expert that other staff can look to for security advice, simple skills and process training and become something of a security overseer for a part of the business.

From her point of view this has entailed building up the knowledge of such candidates, plus providing them with the resources and support they require. It has also included setting targets and goals for them, as well as the process of identifying who could or should be targeted. All of this helps then keep them motivated and engaged in the security processes of the business. To that end, she made the important observation that this does mean all relevant documentation and support materials need to be translated into the key languages used by the business:

The one thing needed is a senior sponsor in the company to demonstrate to the Cyber Shields and the rest of the staff the importance the company places in this approach.

At this point, the scheme has generated a total of 1,500 Cyber Shields right across the 42 countries HSBC operates in.

As this is all about the people and getting their buy-in to taking a positive approach to cyber-security, the position adopted by Killian Faughnan, the CISO at bookmakers William Hill, seems at first out of context, and yet absolutely logical:

I am here to talk about marketing - marketing a product called security to our staff and our customers. That can be from the company Board level down. So that is where to start: know your customer, as in the people you want/need to hit with the security message, and define why you need to hit them…..that will help define the messages needed.

Then, he said, the need is to make the product messages as simple as possible. As part of that process it is also important to remember you, as marketeer, are part of the product as well:

Make them believe you believe in the need for their part in security. And do not over-complicate the subject. That is far too easy with security technology….being simple is, in this context, liable to be difficult.

His suggestion was to choose the three main points you want to make and make their clearly and simply. The important factor here is that it does not need a large budget to make this stuff work. It is about engagement at a human level, not spending lots of money. So make it personal. And always remember that there are marketing resources readily available on the web:

Security culture should be part of organisational culture, and really has to be driven through everything. It should not be a silo. Think of your people as people and remember that: because you will need to understand that they may not understand it or why any of it is that important.

My take

When it comes to the range and diversity of tech solutions on show, it is easy to assume that, somewhere in the panoply of possible solutions, there is a cure for every cyber-security ill any business could ever face. Yet the ills still keep appearing, ever thicker and ever faster. So technology per se is obviously is not the answer. And here are some simple approaches to what is increasingly seen as the primary weak link – the people. And what is more, they may prove to be not just more efficacious, but a damn sight cheaper than the lavish application of technology