The lack of awareness and understanding of risks is one of the biggest challenges to information security, according to a panel of experts.
Research showed that 93% of data security breaches between April and June 2014 were due to human error, attendees of the inaugural (ISC)2 EMEA Security Congress in London were told.
“Nearly half of those incidents involved data being emailed to the wrong recipient,” said Ray Stanton, security advisor and executive vice-president of professional services at BT.
No matter how good the IT security team and the technology is, security will remain weak if information security professionals fail to influence people in the business to get the basics right, said Stanton.
Information security awareness training should be a mandatory part of induction training for everyone who joins an organisation, said former UK home secretary David Blunkett.
“People will always be the most vulnerable part of any organisation’s information security, because people make mistakes and they are easily manipulated,” Blunkett said.
Organisations should strive to create a security culture, said Stefan Lüders, head of computer security at Cern, the European organisation for nuclear research.
“Safe practices need to become automatic, like crossing the road, so that people automatically check where they are sending data and do not click on embedded links and attached documents,” he said.
Read more about the (ISC)²
- Ripa needs regular review, Blunkett tells (ISC)² security congress
- Drip bill could put data at greater risk, warns (ISC)²
- (ISC)² launches cyber forensics credential in Europe
- (ISC)² board chairman: 'We've definitely turned it around'
- (ISC)² launches security credential for healthcare
- (ISC)² expands online security awareness programme to Ireland
- IT security industry still immature, says (ISC)² board member
Matching security to staff
Lüders said anti-phishing training using simulation exercises can be a useful way of “getting the ball rolling” so people become more aware of security and start asking the right questions.
Stanton said information security professionals need to ensure they make security relevant to everybody in the organisation, adapting the message to people of different ages and job roles.
“Explain what security means to them; how they can be affected and what they could lose if they are compromised by hackers,” he said.
In this regard, Stanton said information security professionals should work to influence the rest of the organisation to follow best practice and ensure this is backed up by continual education efforts.
Information security professionals need to go back to basics and explain the fundamentals, said John Colley, co-chair of the (ISC)2 European Advisory Council.
“There are 101 things we do instinctively and take for granted, so it is important not to overlook key underlying principles when trying to educate others. But it is also important not to overcomplicate things,” he said.
Colley said organisations' employees need to have the understanding and skills to do the right thing when technology fails.
“Most passenger aircraft are able to fly automatically, but there are always two to three pilots on board any flight who can take over if necessary,” he said.
The second major challenge to information security, said Lüders, is the fact that software producers continue to ship products that are not 100% secure.
“Many software products do not have the level of safety and security that you would expect but, unlike other products, the suppliers currently do not accept any liability,” he said.
Lüders said that, like availability and reliability, organisations should expect and demand security to be an automatic part of any software products they buy.
As far as technology challenges are concerned, Stanton said information security professionals should focus attention on developments such as quantum computing and their impact on security.
“Some of these things are not as far out as many may think and it is important to begin preparing in good time,” he said.
Minimising the human risk
Lüders said that, in the light of the fact that the human factor is often the weakest link, new and emerging technologies should be designed to take care of security automatically.
“We also need to press governments to publish all the exploits they are seeing to help organisations be better prepared rather than sitting on this intelligence for months and even years,” he said.
Blunkett said technology developers should also focus more attention on how to migrate data from legacy systems to newer, more secure systems, designed to deal with modern cyber threats.
“We should demand that industry make security a top priority in all new products and services, especially with the rise of the internet of things,” he said.
And globally, societies need to work through what they will and will not accept authorities doing in the name of keeping citizens safe, said Blunkett.
“Whether you consider Snowden a thief or traitor, it has opened up a debate – but the UK and US are still struggling how to deal with this,” he said.