In tandem with European Cyber Security Awareness Month, Lance Spitzner (director at the SANS Institute) suggests that Human Resources Departments have a critical role to play in helping their organisations improve information security procedures.
“Organisations are beginning to realise that they have to secure the human element as technology can only go so far,” explained Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness. “As long as individuals store, process or transfer information then they too must be secured. One of the most effective ways in which to secure employees is to change their behaviours through an active, longer term security awareness programme.”
Spitzner (who has spoken to and worked with numerous organisations including the NSA, FIRST, the Pentagon, the FBI Academy, the US President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the CESG in Britain) suggests that, based on the available evidence, it’s extremely likely every large organisation will experience an information security breach at some point in time.
According to the influential Data Breach Investigation Report which has examined over 100,000 security breaches across the last decade, 81% of the incidents charted can be described by just four root causes: miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%).
The main threat comes from human error, such as someone accidentally posting private data to a public site, sending information to the wrong recipients or failing to dispose of documents or assets in a secure manner. However, lack of security awareness also has a part to play in insider misuse, physical theft and incidents of loss.
“In the past,” continued Spitzner, “organisations have orchestrated security awareness programmes, but these were primarily compliance-driven and designed by auditors to ensure the company could ‘check the box’. These programmes consisted of nothing more than a once-a-year PowerPoint presentation or some very basic computer-based training. In recent times, host organisations have begun a fundamental shift in terms of how they approach awareness and training. They’re now building mature security awareness programmes that identify and change high risk human behaviours.”
Spitzner advocates the first task is to gain the support of management and answer the key questions of: ‘Who?’, ‘What?’ and ‘How?’
“Once you have a programme rolled out,” continued Spitzner, “you’ll need the ability to measure it. Measuring provides several things. First, it helps you identify where your greatest risks are and where you need to focus your efforts. Second, it can be used to demonstrate the value of the programme to senior management, in turn gaining you the support you need in order to keep that programme going in the longer term.”
European Cyber Security Awareness Month
European Cyber Security Awareness Month is a European Union advocacy campaign that takes place each October. The overall aim is to promote the subject of cyber security among citizens, change their perception of cyber threats and provide up-to-date security information through education and sharing of good practices.
To further support this initiative in 2014, Spitzner is running a webinar session offering a step-by-step walk through of how to take your security awareness programme to the next level. The session covers key points including how to leverage the Security Awareness Maturity Model, effectively engage people, measure change in behaviours and communicate those results to management.
Registration is available via: https://www.sans.org/webcasts/securing-human-emea-generation-awareness-programs-98857