Security Think Tank: Teens in basements don’t represent a positive security culture

The world of information security and cyber security is often portrayed as deeply technical, focused on repelling the “hooded hacker”. This can do one of two things to an organisation’s user community: instil a fear that there’s no way to stop security attacks, or feel so far removed from that view that there’s no need to worry about it.

The reality is that security is everyone’s responsibility, and individuals should feel “connected” enough to be able to contribute.

To enable this, the portrayal of the hooded hacker must stop. Security incidents and breaches can be malicious and indeed can come from a hooded script kiddie in a bedroom in a small town, but attacks can also come from other quarters, such as suit-wearing employees of nation states, hacktivists bent on causing disruption, and disgruntled former employees.

Also, security incidents and breaches are not always malicious – they can be accidental, resulting from poor data protection practices within an organisation through to insiders choosing to ignore processes because they are too easy to bypass.

Far too often, a “stick” approach is used when it comes to people and security. “Weakest line of defence” and “people do stupid things” are oft-repeated phrases by those responsible for information security and cyber security in an organisation. This also needs to stop: enabling the user community to take at least partial responsibility for security requires a positive security culture at an organisation.

Awareness programmes on their own are insufficient; these programmes must evolve into education focused on developing skills, so that users know why they must adopt secure behaviour and what the potential consequences of their actions might be.

Let’s take an easy example: leaving a computer screen unlocked in the office. What damage can this possibly do? Well, let’s start with the insider threat. Malicious insiders may well be within the organisation, see an unlocked laptop and use it to access confidential or sensitive information with another individual’s credentials. Who has really accessed the information?

Or a visitor walks past the same desk with an account manager. The visitor is a potential client and, should the potential client turn into a customer, your organisation will be holding some confidential data about his or her company. The lack of attention to security has the potential to change a deal decision.

These are high-risk touchpoints, where individuals interact with systems and data, and where human error could have major consequences.

Security education programmes are required. Educating the entire organisation about secure behaviour and why secure behaviour is essential will slowly help to increase security responsibility in the workplace. This isn’t a one-off project – it should be an ongoing programme that reinforces secure behaviours.

Those being vigilant should be rewarded (for example, call out those who successfully recognise and report a phishing email), while individuals who consistently fail to apply secure behaviours should be targeted with tailored education programmes. And, most importantly, the tone from the top should be security-focused. Everyone from the CEO down must exhibit and promote secure behaviour for it to become embedded in the organisation’s culture.