Education is the key to securing your organisation
I have been planning on writing an article on security for some time, given the wide scope of the topic however I was unsure where to focus on.
I was inspired by a visit to the local gym. This gym is located close to several large organisations, so as you can imagine, it is used by lots of different employees of those organisations. One of those organisations are very high profile, a global brand in fact. For the purpose of this article, there is no need to reveal the company name. I know from the interactions I have had with them that security is extremely high on their agenda and something they pride themselves on getting right. In fact, their core values are around safety, security and reliability. One would argue that the biggest asset to this organisation is their data and, in particular the intellectual property. The IT Director allocates in the region of 18% of his budget on security which is at the high end of the spending average. Needless to say, this organisation takes security extremely seriously.
During one of my visits, as I got changed ready for a lunchtime session, I noticed the clothes hanging up on the peg next to me. The company branded top hanging up was accompanied by a company branded lanyard attached to a company branded access card and a set of keys. To my amazement, the card had the name and job title of the holder – who happened to be one of the security team.
In all fairness, it is quite easy to see how this could be done. The person in question was obviously in a rush, he was having a quick work out in the lunch break before returning to work. I’m 99% convinced there would have been no thought and no awareness around leaving the access card hanging on the peg with their clothes.
I thought about this for some time after, what would I do in that situation if a member of my organisation had done that, after all security falls under my remit. My first thought, somewhat obviously, was around the type of disciplinary action that we would need to take. Staff have been warned and made aware of this type of thing but it struck me that not every organisation educates its staff and perhaps the blame didn’t solely lie with the individual. Had this major organisation focused too much on securing the “perimeter”, as it were, and not enough focus on the threat from within, albeit unintentional. Was their education programme, like a few I’ve seen just focused on technology? i.e. keeping the antivirus up to date, not using rogue usb drives, not opening dodgy emails/website, etc.
Technology now mainstream
Depending on which report you read there are 28 billion connected devices in the world right now, this will grow exponentially over the next 3 or 4 years to around 50 billion devices. We now have applications at our fingers tips which can provide services that historically have come from the IT department. It is now the norm for employees of organisations to expect to be able to bring their own devices to work and consume business services on these personal devices. How we secure our organisation whilst providing this flexibility for our users is difficult but as per my example above using technology to create a virtual fortress or trying to enforce policies will not work without good education.
Lack of the right education can be damaging
The importance of securing your organisation and data is only going to become more difficult with the growth of IoT and the new general data protection regulation that comes into place in 2018 (GDPR) will highlight the need for the correct procedures to be in place to detect, report, resolve and report security breaches.
In 2015, 60% of all security attacks were from insiders. I would hope that most organisations understand that the end user, whether intentional or not is now the biggest threat – although I fear most are naïve to this. One would also hope that organisations go further than just assuming employees will read the company security policy or follow set procedures. Automation, to ensure machines are correctly patched and encrypted, have up to date virus prevention, examine data packets and ensure rogue applications cannot be installed is easily implemented now however there is still a need for education.
As I described in my anecdote, security should not be limited to cyber security. Our organisations need to be educated on both cyber and physical security.
Security needs to be driven to the heart of the organisation and a thought-out security awareness program should be developed. To do this, you need to understand the level at which the organisation is at. This was my starting point.
Raising the awareness
One way I went about raising awareness and gauging the level of knowledge was to send out my own spear phishing email. I targeted all staff, sent them an email from a rogue email address which was masked to look like it came from me, but with some obvious mistakes. The email directed them off to a 3rd party site, with a suspect looking address and asked for a mixture of personal and business information. The results were astonishing – based on our results the business vastly underestimated the threats.
Subsequent to this I updated and redistributed policies as well developing an online security training tool. The tool, a 20-minute awareness video with a few multiple-choice questions at the end of each section, gave an overview to all aspects to security not just the technical ones. I ensured we included tips of how to stay secure both at work and outside of work. We now use this tool as part of our induction for all new starters. My plan is to redevelop and retest everyone each year. This low-cost exercise could potentially carry great value to the organisation and demonstrating return on this investment is trivial.
My final thought for you to consider would be understanding the area in which your office(s) are located. This was highlighted to me by a friend and colleague from one of our sister organisations. Our office is located centrally in, what on the face of it seems a nice city – however the under paths that surround our building are renowned for petty thefts. Staff often walk out of the building on mobile phones or with laptop bags and by highlighting the potential risks staff can ensure they are diligent. Again, the key here is awareness.
Companies may have security policies but everyone needs to have some sort of security education program to help focus the mind. It doesn’t have to be long and complex but it needs to give you the right footing to ensure you keep your organisations secure. I have hopefully demonstrated the need to go beyond cybersecurity and consider the physical security, our environment and our personal actions – like leaving your security pass in the gym!!