Infosec 2009: the human side of security

Cybercrime and data breaches have grabbed the headlines in the past year, but it is people and their role in preventing these that will dominate Infosecurity Europe 2009.

Cybercrime and data breaches have grabbed the headlines in the past year, but it is people and their role in preventing these that will dominate Infosecurity Europe 2009.

Security suppliers will be there with the latest technology trends, but the spotlight will be on the human element of security throughout the event, which takes place from 28 to 30 April at Earls Court in London.

Former home secretary David Blunkett will give the opening address at the conference on the rapidly changing face of cybercrime, the true nature of which he says is little known.

People in the public and private sectors need to be more aware of the enormous threat posed by cybercriminals, Blunkett says.

Encourage good management

A good information security awareness programme can enable good data management, says Peter Bassill, information security officer at the Gala Coral Group.

Bassill, one of the panellists in a debate on whether security is about people or technology, says there is no replacement for technical counter-measures, but "with an awareness programme in place, employees will know what will happen if they take data".

A common problem is that IT security managers typically lack the skills required to understand and change user behaviour, says independent researcher David Lacey.

Success depends on enlisting the help of professionals with the right skills. Lacey, who will discuss managing the human factor in information security at the conference, says psychologists can help understand what influences people's attitudes.

This will help create policies that encourage good security practice, but security managers should also call in journalists to help write and communicate those policies.

Prepared for attack

Another important element of awareness is knowledge of the attack methods used by cybercriminals, says Howard Schmidt, president and chief executive of the international Information Security Forum (ISF).

"IT security professionals can identify true weaknesses in their defences only if they share information with law enforcement officers investigating cybercrime," he says.

Schmidt, one of the panellists in a discussion on the dynamics of e-crime, says IT professionals must ensure their knowledge of cybercrime is passed on to end-users.

"IT end-users should be able to identify potential cyber threats and know how to respond to them," he says.

If an employee sees a cable trailing across the office floor, they immediately think of health and safety risks, says Raj Samani, vice-president of communications at ISSA UK.

"We have to aim to replicate what the health and safety industry has done and get information risk ingrained into employees' minds," he says.

Samani is one of the panellists taking part in a debate on externalisation that will consider security in an environment where the boundaries between organisations are disappearing.

Understanding business processes

Other key areas to be highlighted at this year's conference include information security skills, ways of preventing data breaches, the challenge of policing international e-crime, and effects of the credit crunch.

IT security professionals will need to have a greater understanding of business if they are to succeed in the next decade, says Paul Dorey, chairman of the Institute of Information Security Professionals (IISP).

"They will also have to be able to use recognised standards and repeatable processes to take a more scientific and disciplined approach to security," he says.

Dorey adds that many IT security professionals lack the necessary skills in business leadership, risk assessment and effective communication.

He will discuss how businesses should go about addressing that skill shortage in his presentation at the conference.

Information sprawl caused by distributed, networked computing is one of the biggest causes of data breaches, says Dan Blum, principal analyst at the Burton Group.

Information will always be at risk as long as it is allowed to exist in several places in an organisation without proper access controls, he says.

Blum is a member of a panel that will discuss high-profile data breaches in the past year and what can be done to reduce the risk.

Responsibility for policing the global internet is another important debate at the conference.

"As yet there is little agreement over who should do and pay for what, but there does appear to be agreement that the answer has to be a partnership," says Philip Virgo, secretary general of Eurim, who will be chairing the debate.

Security on a budget

The credit crunch has also grabbed its fair share of headlines in the past year, with many IT departments giving careful consideration to the way forward.

"A crisis can force an organisation to become more agile, adaptive and resourceful, but in the field of IT security, money should not be saved at the cost of defence," says Eric Domage, research manager at IDC Europe.

"Conversely, money should not be spent without first examining all available options," he says.

Domage is one of the panellists taking part in a debate on the global credit crunch and the IT security market that will look at ways in which security can support IT development in a tough investment climate.

Insight into the criminal mind

Infosecurity Europe 2009 rounds up with an opportunity to learn more about the workings of the cybercriminal mind, as recommended by Howard Schmidt.

He is to chair a panel of hackers as they discuss corporate espionage, hacking methods and mitigation.

Opinion: The human side of data loss prevention 

Peter Bassill, group information security officer, Gala Coral Group

One of the hot topics for many information security officers and almost all suppliers within the IT security industry at present is data loss prevention.

For many information security officers (ISOs) and IT directors, not a week will pass without a supplier calling to talk about and sell a data loss prevention solution that is hailed as a way of controlling data egress points.

From the products I have tested, I can say that they do what they say on the packaging, but in this economic climate, when boards are mandating decreased budgets and businesses drive for lower operational costs, is there another way of achieving a similar result without large capital outlay?

Good increases in data management can be achieved through a good information security awareness programme. A good awareness programme can make significant strides to decrease accidental loss of data, which is by far the most common cause of data breaches, and then use technical solutions to assist and complement the work of the awareness programme. Awareness programmes take time to set up and need buy-in from the very top of the business. Key executives are usually happy and eager to help; they see both the security benefits and the benefits of lower operating costs.

For example, the use of portable media has caused many businesses a large headache and has lead to a number of high-profile data breaches. By educating your staff on the virtues of good data management around portable devices and ensuring a good understanding of classification labels and how to protect data within certain classifications, staff have shown they are capable of adequately protecting data and correctly using portable media devices.

This is not to say that you should not complement the training by issuing only encrypted portable devices and controlling data written to non-encrypted devices. In taking this step you reinforce the training and show the workforce that you are taking the matter seriously.

By viewing technology as an assistant to good information security practices rather than the primary enabler to information security you are better placed to view the options open to the business, taking a broader spectrum view of your business practices allows you to better understand where information security gains can be achieved easily and where gains will take longer to realise.

An excellent area within the realm of information security where the people element returns excellent gains is in penetration testing. By engaging different business unit members in internal penetration testing it is possible to identify where processes are not working and could lead to potential security issues. Using this method of penetration testing in conjunction with traditional external testing you get a fuller and more rounded view of your overall security stance. This will help in identifying the many egress routes that data could potentially take out of the business.

A good security awareness programme will not safeguard against those rouge employees that want to take the data with them, however. This is where there is no replacement for the technical counter-measure. But with an awareness programme in place, employees will be aware of what will happen if they are found to have taken data and the HR department will have an easier time of dealing with these employees if you can prove they are fully aware of the policies and have taken part in the awareness training.

Peter Bassill, CISSP, CITP, group information security officer at Gala Coral Group, is speaking in the keynote on "Is security about people or technology?" at Infosecurity Europe, 28-30 April, Earls Court.

Infosec 2009: an essential guide for IT professionals >>


Useful links:

Read more on IT risk management