Sergey Nivens - Fotolia
Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre (NCSC).
The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture, she told Computer Weekly.
“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.
“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.
“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.
An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.
Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.
Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.
“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”
The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.
Read more about security awareness
- Defence and finance sectors lead in making people cyber defenders.
- The information security community is failing to educate users in a way that helps then understand cyber threats and change their behaviour, according to consultant Jessica Barker.
- While there is value in security awareness training, not all training programmes are effective or value for money, according to a panel of experts.
- UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.
Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.
“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.
“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”
End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.
“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.
Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.
“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.
“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.
Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.
For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.
Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.
“Security teams need to accept that people cannot remember multiple complex passwords and that no amount of awareness training is going solve the problem,” said Emma W. “Security professionals have to understand they have to take the pain from the users and find alternative ways to solve the problem.”
Review password policies
Organisations should review their password policies, apply passwords only where necessary and look to replace passwords with easy-to-use alternative authentication methods, she said.
Once organisations have taken some of the passwords away, they can then start being a bit more realistic about the kind of passwords they expect employees to create, instead of requiring extremely long and complex passwords that employees will struggle to remember, she said.
“Organisations should examine whether they can find ways of getting by with shorter, simpler passwords and doing away with things like regular password changes, which in reality deliver very little extra protection and yet are the bane of many people’s lives,” said Emma W.
“It involves primarily assessing the reality of how things are because a lot of the benefits of traditional password management are assumed and are not there in reality, and because of a failure to face up to the fact that these assumptions are not true, organisations are taking on additional risk.”
Oganisations must face up to the fact that some of the old ways of working are ineffective in terms of security and move on to practices that deliver real security by taking into account how things really work, what people need to do, and how they can do that easily, efficiently and securely, she said.
One way the NCSC is championing this new approach to cyber security is by enshrining its principles in all the guidance it publishes on key cyber security topics.