Computer security is a hot topic today, and much talked about. There are endless emanations of new and sparkly technologies, each of which aspires to solve security problems, though most (sadly) turn out to be:
- require too much of too many
- prescriptive to a level that is impossible to deliver.
Yet, throughout all the product and service announcements one common element but critical participant seems forgotten: the employee.
If you look at your employer, how much does it spend on equipping staff to understand what computing-related security involves? The italics are intentional. 99% of employees do not need to have a complete knowledge of security, just as they do not need to know everything about accounting or manufacturing. What they do need is sufficient background to take reasonable and common sense precautions. (Computing-related security is an ugly phrase but is used here to include information, systems, networks and software -- all of which are relevant.)
Shambolic security training
Unfortunately, far too few organisations methodically undertake the periodic security awareness training of their people which enables employees to understand the nature of current IT threats and to keep up to date on IT business security initiatives. This omission often produces results that can be shambolic, rather than managing IT risks while saving money and concentrating efforts.
If you do not believe this, consider one organisation which sends its people to offices in different countries. What is extraordinary is that in this organisation no employee being sent abroad receives any training about special considerations they should apply, even when the destinations include the USA, China, South Asia or the Middle East –places now known for their liking to ‘take’ information from ‘others’. To extend the picture further this:
- applies from the most senior executives to far more junior staff (remembering that it is the latter who are often the ones charged with administering the information and processes on which enterprises depend)
- occurs even within this organisations’ own home country locations, where minimal computing-related security awareness features as part of any employee development programme or even discussion of responsibilities.
You may consider this an extreme example. Perhaps it is one that is not representative of most businesses. Nevertheless the lack of user awareness and training reflects accurately what happens in other businesses. Bear in mind that security threats today are certainly not only restricted to those who travel abroad but cover everyone, whether they work at a desk with computer or are mobile only or work from their home PC or at the local coffee shop.
Rambling discussions in the local pub
Now ask yourself: when was the was the last time the average employee in your organisation received formal security awareness training (i.e. not a rambling discussion about what can go wrong delivered in the local pub or wine bar, probably given by someone with little formal training in IT security)? If it was within the last three months, good. If it was several times within the last year, much better. If it is part of a continuous program in which you participate and are encouraged to assume some responsibility for contributing to your employer’s computing-related security, even better still (though I am willing to bet that this is not the case for most).
Premium Content on Security
The employee should be the crux of effective general computing-related security. If he or she constructively performs their part this can reduce the burden on those who must deliver the more complex parts (of security). Or, inverted, if those charged with producing the secure enterprise have to worry less about the ordinary then they have more time to address the extraordinary. It can be a win-win situation. Yet this is only possible if employees are made aware and are kept aware of what they reasonably should do, and why they should participate and care.
Common sense is not enough
You might think that common sense is sufficient. It is not. Technology moves on relentlessly and the threat environment evolves all the time. Fifteen years ago we had laptops but taking your company laptop on a business trip was most likely considered a physical security risk (of it being stolen) than for the importance of the information it contained, though even then were some organisations which were more vigilant.
This contrasts with the much broader computing-related risk of today where in some countries the legitimate forces of law and order may politely take your laptop to scan it ‘for your security’ yet surreptitiously install software that unknown to you or your employer may open the firewalls to confidential networks, information and applications. Indeed, simply having someone else have a copy of certain data files can expose your organisation to economic threats or legislative action in your home nation. Common sense matters but by itself it is insufficient: it needs training in order to ensure appropriate awareness.
Employees have a duty to their employer
What, then, should a reasonable organisation do? The first aspect to consider is responsibility. Deciding what level of responsibility is appropriate for employees is the essential starting point, as is some mechanism to know that each employee recognizes that he or she has an computing-related security responsibility to their employer. That should be supplemented by an ongoing, preferably regular, security briefing mechanism that involves the employee and checks that he or she comprehends what is required of them.
For those who think that such mechanisms do not exist, equivalents are already in use. For example, rolling awareness focused on preventing conflict of interest situations arising is often conducted by professional organisations. They achieve this through on-going information giving backed up by online questionnaires to ensure not only are employees or partners up-to-date in their awareness of potential conflict of interest situations but also that the passing of the online tests documents their understanding.
The cost of not training employees is high
This training and awareness is not difficult. But it does cost, especially in terms of time. Yet the cost of not involving employees can be far greater if expensive security specialists (assuming that security specialists are available) have to spend their valuable time concentrating on the obvious and repetitive rather than fighting the new. Similarly, any breach of security can be expensive to remediate, especially if it adversely impacts the trust of your customers in your organisation as an entity with which to do business in the future. Organisations that do not actively and continuously involve employees in computing-related security are opening themselves to penetration as well as failing to exploit their greatest asset, their people.
The primary reasons why organisations do not invest in employee computing-related security awareness are, most often, a lack of time and money preventing the adoption of a methodical approach. A corporate head-in-the-sand is less immediately expensive than prevention but in the longer term can threaten the whole business: remember eBay, Target and others?
Charles Brett is principal analyst at Freeform Dynamics