Information is the lifeblood of most organisations. It can take one of many forms, such as physical files, digital files or databases. Furthermore, computer systems allow us to keep data almost indefinitely, and as we generate even more every year, the amount of data that an average FTSE 100 company stores is growing steeply.
Furthermore, employees have access to this data heap, which is frequently stored on devices that can be easily lost. And many users do not feel they are the owners or custodians of the data when they should. This may not be a problem in customer relationship management (CRM) systems where user access is limited, but it is a huge problem for unstructured data, such as office files, pictures, PDFs, CAD files, to list just a few, warns Vladimir Jirasek, senior enterprise security architect at Nokia, non-executive director CSA UK & Ireland, and CAMM Steering Group member.
The question is, what can and should organisations be doing to change behaviour so that all IT users actively share responsibility for the security of data?
Jirasek says it is important to educate users that data should be protected. But this is easier said than done. "With the new generation of employees in the workforce comes a lesser view of privacy. So-called Generation-Y employees are more likely to share data about themselves with others they do not know."
He recommends that companies should develop well-written and easy-to-understand classification policies. "Having clear instructions helps; no one wants to read a 10-page document when two pages would do the same job."
Second, the IT systems should ask users about data classification and any other restrictions and metadata; for example expiration, change of classification with the time, and controlled access. The interface needs to be clean, easy to navigate and understandable.
Thirdly, the classification and other metadata need to be attached to the data and the restrictions imposed as the data travels through IT systems, computers and storage.
Lastly, organisations should investigate leaks and data issues and publish the action taken against the employee. This serves as a reminder that the organisation has data security policies which it takes seriously, says Jirasek.
Take control of information ownership
As with data classification, most organisations have no information ownership policies. Yet the concept behind information ownership is simple - if you use information in your day-to-day work, then you should be responsible for it, says Peter Wood, London Chapter ISACA Security Advisory Group and CEO of First Base Technologies.
He suggests that organisations need to assign information owners, typically the most senior person responsible for each piece of information, usually a manager or senior manager. It then becomes this person's responsibility to determine which information is sensitive, valuable or critical and create an inventory of that information, classify it, then liaise with the information custodian (often the IT department) to ensure that the appropriate degree of protection is assigned to that information.
In Wood's experience, too often this process is absent, meaning that everyone assumes it is up to the IT department to decide what needs protecting and to "just get on with it".
But information ownership can work. As an example, Wood says a manager may write a report on a new project which is commercially sensitive. Since the manager created the report, this makes him or her the information owner. The report is confidential and should only be viewed by a select group of people, so the manager needs to make a list of who these people are.
"If the document is to be stored in a corporate system, the manager would need to ask the IT department to secure it and put controls in place to ensure only the people on the list can access the document - this makes IT the information custodian," he says.
However, according to Wood, it still falls to the manager to decide who is on the list, and subsequently to check that the controls are working correctly. If the document is to be stored on a laptop, the manager becomes both the information owner and information custodian. "It is the manager's responsibility to guard access to the laptop to protect the information stored on it," he says.
If staff are educated to understand the concept of information ownership and classification, and given clear guidance to assist them, then the risk of data leakage is greatly reduced.
Make security messaging meaningful
For years, security awareness has been seen by security practitioners as a fundamental weapon in the fight to secure information in the enterprise. Many organisations run security awareness campaigns and spend a significant part of their annual security budget on educating, informing and ultimately attempting to change staff behaviour so it is "security positive". But security awareness has failed.
Adrian Davis, ISF principal research analyst, says greater emphasis needs to be placed on fostering the exchange of information security messages that are meaningful at a local and personal level, and that are practical, easy to understand and reinforced regularly.
"To change behaviour, attention needs to be paid by organisations to how security messages are perceived personally and locally, and how they can be sustained, supported and passed on to produce learning and action," he says.
Davis describes this as the basis of a security positive environment, which is established by addressing a range of factors, such as the organisation and its culture, the security function and its effectiveness, and the localised presence of information security.
To help information security become personalised and localised, Davis recommends establishing what he describes as security circles. These are based on the concept of quality circles, led by a local security champion. "Security circles provide a community of practice for the open discussion of information security and how it affects everyone in the workplace," he says.
Responsibility for identifying and eliminating security incidents resides with each local quality circle and the individuals therein. According to Davis, security circles help individuals understand that productivity, reputation and effectiveness are all affected by information security incidents and that individuals can and should have a role in ensuring information security risks are managed "on the ground" and not only by the corporate security function. "It goes beyond policy, changes behaviour and helps turn people into the first line of defence," says Davis.
Spreading security knowledge and tools
Matthew Lord, CISSP, active (ISC)2 member and chief information security officer at Steria, says security professionals have spent too much time implementing controls that stop a user doing something silly and/or exposure of any data. "With the iPad, social media and frankly a management team tired of hearing the security guy say no, organisations need to both educate staff on what's acceptable and focus on the really important stuff, ignoring low-risk items."
Better use of employee education is key, he says. "Take the example of a graduate who joins a large corporate. Often their first three years are focused on soft skills development, such as presentation skills, report writing, diary management, etc. These are all organisational behavioural norms that the organisation is trying to mould their new person into."
So organisations need to include security, compliance and other areas of risk into the basic training for day-to-day work. "Why teach a person to write a good report if they then post it on Facebook?"
Another area IT security professionals need to address is one of overkill, such as spending £1,000 on a lock for a shed worth £200. The real point here is get people to focus on what matters, says Lord. "Not all e-mail leaving the organisation needs to be encrypted and not all iPads need to be encrypted to Ministry of Defence level - surely the manufacturer's encryption is enough for most people within the organisation?" If the environment is too secure, then organisations can have the problem of getting people to "think secure", he warns.
He says that IT has focused for a long time on securing the IT infrastructure, but users are rarely given the tools to do the job. For instance, how many corporates include encryption tools? "I know some of my employers have had the right tools, while others did not, but the company still asked users to encrypt documents."
Furthermore, the tools we do give users are difficult to use. "Encryption is a nightmare to teach a user. I tried this at one company and basically we ended up going back to faxes. It is very difficult technology to teach someone who is not IT trained."
Education is key to getting people to share ownership of IT security issues. After all, it is their data. This should be combined with structured data classification, easy-to-use tools and policies that help staff become security positive.
This was first published in November 2011