Thought for the day Create a security culture

Staff education is vital to effective information security, writes Richard Starnes.

New Asset  
Staff education is vital to effective information security, writes Richard Starnes.




When he was questioned about the ethics of his role, Robert Oppenheimer, father of the atomic bomb, replied, "We were working on a very technical problem - trying to determine how to build the atomic bomb - when we should have been asking a more basic question: should we build the bomb?"

It is a long time since anyone has been confronted with a dilemma on that sort of scale, thank goodness. But it occurred to me, after spending the past few weeks mulling over the question, "Does industry have an ethical or moral duty to teach its employees about information security?" that like Oppenheimer, I was asking the wrong question.

The point of contention is not an ethical one, but instead whether it is, in any event, the smart thing to do? The answer, of course, has to be yes.

The subjects of information security training, education and awareness have been around for some time. Some believe that technology is the cure for all of information security's ills. Others believe that legislation is the way forward. Many, myself included, wonder why most businesses still lack basic information security awareness training and ethical usage programmes.

A company has a responsibility not only to its shareholders, but also to its employees and to the society in which it operates. Informed employees not only assist in protecting the assets of their company, but are also helped to protect themselves and their families from any number of cybercrime issues.

Worms live on ignorance

Many of the current worms and Trojans infecting corporate networks rely upon the user's ignorance to function. I have even seen viruses that flag up end-user licence agreements during installation. Viruses relying upon basic social engineering, such as, "Attractive blonde in office loves you", still prove depressingly effective.

Malware has always been one of the highest cost issues in information security; improving user awareness would go a significant distance towards reducing those losses. User awareness may also assist in reducing another significant cause of asset shrinkage: intellectual property theft.

This could be addressed by teaching users how to handle and protect confidential company data properly and how to report breaches of company policy or instances of malfeasance to the proper authorities.

First-hand experience

How should a company handle the issues of information security training, education and awareness? Cable & Wireless, for example, has approached it from several different angles.

All new employees must attend an induction day, which includes a security seminar. This seminar covers both physical procedures and information security training. The purpose of this briefing is not simply to raise awareness, but to create a culture of security.

This initial training is supplemented by security awareness days, where employees will experience, at first hand, security principles in action.

This may take the form of an enhanced identity check at the front door upon entering a building, a discussion about the use of passwords for workstations, or a full-blown evacuation exercise.

In addition we are developing a web-based "security knowledge zone" which will be accessible to all employees, where relevant security information can be found using a simple point-and-click method. There are also mandatory online security exercise programmes, which all new employees must complete.

It is my hope that such comprehensive security programmes will become more commonplace in other companies, helping to raise the awareness and protection profile of the general public.

The purpose of any security programme is not to develop a foolproof system: we all know how ingenious fools can be. The purpose of a security programme is to raise the bar of difficulty high enough to deter most attempts and restrict the number of individuals capable of defeating the countermeasure.

If this is done in a cost-effective and fiscally sound manner it can be like every other element of information security: not a silver bullet, but another piece of armour helping to complete the full suit.

Richard Starnes is director of incident response at Cable & Wireless. He is also president of the Information Systems Security Association UK

Read more on Hackers and cybercrime prevention