Businesses spend billions of pounds on security technology,
but investing in security awareness could cost less and prove more
effective.
Barclays Bank has shown that education may be the key to IT
security - more so than the $44.6bn Gartner says businesses will
spend globally on software, hardware and services.
Businesses report difficulties in measuring return on
investment, and high costs are often cited as the chief reason for
not investing in security awareness programmes.
But Barclays was able to increase security incident reporting by
a factor of 10 by producing an
innovative training video that used humour to target
audiences.
"Many organisations are put off by the cost, but the whole
project worked at less than £1 per employee," says Mark Logsdon,
deputy head of information risk management at Barclays.
The project took only four months to complete, but should last
up to five years as the video can be edited and updated, he
says.
Barclays commissioned five short Hollywood blockbuster-style
films to illustrate security principles such as keeping passwords
secret.
Although insider threats are a serious risk to business, when an
outsider gains insider privileges, the potential damage is much
greater, say security experts.
One of the most common methods criminals use to get insider
privileges such as passwords is social engineering - tricking
members of staff into disclosing the information they need to
attack systems.
Security consultant
Colin Greenless showed earlier this year how easy social
engineering is by getting passwords from 17 of 20 people he asked
at a FTSE financial firm.
And yet security awareness training is not a priority for most
UK organisations, and is often the first thing to be cut in an
economic downturn.
A freedom of information request revealed that
only one in nine UK government departments has a specific
budget for training staff in IT security in 2009.
"Training people is about improving their effectiveness. If they
do not understand how to protect against security threats, the risk
is much higher," says Robert Chapman, chief executive at Firebrand
Training.
Logsdon says most organisations spend too much time focusing on
technology and people are often neglected.
There needs to be a balance between people, technology and
processes that make it easy for people to do the right thing, he
says.
This is important, says Marcus Alldrick, chief information
security officer at insurance firm Lloyd's of London.
"The challenge is to get people to follow processes that support
technology," he says. Another reason education around IT security
is important.
Attitudes to information security
A survey of attendees at the recent (ISC)² Secure London
conference found that most believe people are most important to a
successful information security strategy.
Some 70% said people were the key component, compared with 18%
for processes, 6% for technology and 6% who said all three were
equally important.
Delegates also heard that security professionals must educate
themselves about the latest attack methods to be effective.
Without researching the latest attack methods and motivations,
any security technology is a "shot in the dark", according to James
Rendell, UK technical manager, IBM internet security systems.
The biggest danger is IT professionals deploying countermeasures
they believe are effective, but in reality are not because they do
not understand the real nature of the threat, he says.
Cybercriminals require the same return on investment as
legitimate business, therefore security professionals must
prioritise defences against threats such as SQL injection attacks,
which are easy, low cost and have a large number of targets, says
Rendell.
Security technology and processes are indispensible, but without
proper attention to educating people, both users and IT
professionals, billions of pounds spent on security hardware and
software will be wasted.