WorldCity Business Magazine

Working against ourselves

by James Bullen

“We have met the enemy and he is us.” cartoonist Walt Kelly, 1970

This has not been a good year for information security. Almost every day there is a new story about credit card numbers or other personal information being stolen. Interestingly, the cause is rarely a technical problem. Rather, in almost every case, the companies involved had the necessary technology but someone made a stupid mistake.

Information security is a “people problem” that requires the avoidance of stupid mistakes. Or as Mark Lobel, senior manager of security and privacy services for PricewaterhouseCoopers, points out, “It’s education and security awareness basic blocking and tackling and that does not have to cost a fortune.”

Studies by the Computer Security Institute/FBI, the U.S. Congress, technology research company Gartner and others estimate that about 75% of security losses come from people inside an organization. Yet other studies show that more than 80% of security spending is focused on technical protections against threats from the outside.

That means the Pareto Principle, or the 80/20 rule, is alive and well when it comes to information security spending. Companies, on average, spent 80% of security dollars to protect against 20 % of the threats.

It is easy to rationalize why so much of the information security budget goes to technology. It is costly to build and operate infrastructures of firewalls, intrusion protection, intrusion detection, antivirus and other applications necessary to let the good guys in while keeping the bad guys out. And threats including worms, spams, viruses, trojans, password crackers, spyware, phishing, pharming and so on are becoming even more sophisticated. Everyone is now is now connected to everybody else thanks to instant message on desktop PCs, as well as laptops, PDA’s, Blackberries, voice over Internet protocol and cell phones.

In this environment even your best customer or most trusted employee can unknowingly compromise your information security.

But that does not explain why we under-spend when it comes to protections against internal threats? Perhaps human nature is the simple answer. Most of us have a similar mismatch in our daily lives. We spend thousands of dollars on corrective medicine but eat poorly, shun exercise and pay little attention to inexpensive and easy preventive measures.

Spending to protect against external threats can, in most cases, be justified. But under-spending against internal threats cannot. As an extreme example, a multimillion-dollar security system can be compromised by something as elementary as an employee improperly protecting passwords. This is not a malicious act, but a reflection of improper training. A recent study by global accounting and consulting firm Ernst & Young found that “lack of security awareness by users” was the biggest obstacle to effective information security, yet only 28% of the companies listed “raising information security training or awareness” as a top initiative.

As that study illustrates, failure to invest in training is, to say the least, tempting fate. A cautionary tale lies in the case of a CEO’s secretary who gave her password to a caller claiming to be a computer repairman. That password was used to access sensitive information that embarrassed the CEO. He fired the secretary. She sued and won on the grounds that she had not been given proper training.

Recently a group of would-be hackers were asked what they would do if a corporation or government agency gave them a million-dollar budget to steal secrets on their behalf. The answer had nothing to do with sophisticated technological schemes. They simply said they’d give the money to an insider with access to the secrets. Clearly, the weakest links in the information system are the people who use the system.

Providing employees with security awareness training is neither difficult nor costly and it could protect an organization and its executives from the public humiliation of lawsuits, fines or even jail time.

A generic security awareness program should include:

Social Engineering. Most individuals are trusting and helpful, but there are always those who will try to exploit this through phony telephone calls, fake Web sites, deceptive e-mails or other strategies.

Data storage and information transfer. This addresses the special care employees need to take when storing or transferring sensitive data.

*Passwords. *Employees should be educated on how to select and protect their passwords.

*E-mail. *Risks associated with e-mail should be explained; employees should be taught how to be fully informed e-mail users.

*PCs and laptops. *Employees get instruction on how to take responsibility for the safety of their personal computers and, especially, company-sensitive data on them.

Employees can also be educated on risks associated with and proper usage of PDA’s, Blackberries, VoIP and wireless computing. Any courses should reinforce the company’s security policies and compliance with regulatory requirements such as federal health-care privacy regulations or the Sarbanes-Oxley Act covering financial disclosure.

In choosing a company to provide security-awareness training, companies should ask:

Was the training prepared by a certified security expert? Is the training backed up by a professional security organization? Can the program be expanded to include any special needs your company may have? Will the training be regularly updated to include the latest security threats? Does the program include auditing trails and reporting tools that document and record the people taking the course, their test results and other information? Does the program comply with the security awareness requirements of regulations that impact your company such as Sarbanes-Oxley?

Multinational companies face the additional challenge of finding a security partner that can provide consistent training in multiple countries and languages, along with in-country support when needed.

Companies need to provide security awareness training for their people. Resources invested in this first line of defense provide the best return-on-investment for security dollars. The National Institute of Standard and Technology says it best with its slogan: “SEC_RITY is not complete without U!” But even if a company provides its people with training, it doesn’t make the firm secure unless the training comes with visible support from the top and constant monitoring and reinforcement.

Be secure. It need not cost as much as you think.