“Human Resources Departments are key to information security” states SANS Institute

In tandem with European Cyber Security Awareness Month, Lance Spitzner (director at the SANS Institute) suggests that Human Resources Departments have a critical role to play in helping their organisations improve information security procedures.

“Organisations are beginning to realise that they have to secure the human element as technology can only go so far,” explained Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness. “As long as individuals store, process or transfer information then they too must be secured. One of the most effective ways in which to secure employees is to change their behaviours through an active, longer term security awareness programme.”

Spitzner (who has spoken to and worked with numerous organisations including the NSA, FIRST, the Pentagon, the FBI Academy, the US President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the CESG in Britain) suggests that, based on the available evidence, it’s extremely likely every large organisation will experience an information security breach at some point in time.

According to the influential Data Breach Investigation Report which has examined over 100,000 security breaches across the last decade, 81% of the incidents charted can be described by just four root causes: miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%).

The SANS Institute believes that security awareness training must be given more importance as the likelihood of human error leading to a security breach increases

The SANS Institute believes that security awareness training must be given more importance as the likelihood of human error leading to a security breach increases

The main threat comes from human error, such as someone accidentally posting private data to a public site, sending information to the wrong recipients or failing to dispose of documents or assets in a secure manner. However, lack of security awareness also has a part to play in insider misuse, physical theft and incidents of loss.

“In the past,” continued Spitzner, “organisations have orchestrated security awareness programmes, but these were primarily compliance-driven and designed by auditors to ensure the company could ‘check the box’. These programmes consisted of nothing more than a once-a-year PowerPoint presentation or some very basic computer-based training. In recent times, host organisations have begun a fundamental shift in terms of how they approach awareness and training. They’re now building mature security awareness programmes that identify and change high risk human behaviours.”

Spitzner advocates the first task is to gain the support of management and answer the key questions of: ‘Who?’, ‘What?’ and ‘How?’

“Once you have a programme rolled out,” continued Spitzner, “you’ll need the ability to measure it. Measuring provides several things. First, it helps you identify where your greatest risks are and where you need to focus your efforts. Second, it can be used to demonstrate the value of the programme to senior management, in turn gaining you the support you need in order to keep that programme going in the longer term.”

European Cyber Security Awareness Month

European Cyber Security Awareness Month is a European Union advocacy campaign that takes place each October. The overall aim is to promote the subject of cyber security among citizens, change their perception of cyber threats and provide up-to-date security information through education and sharing of good practices.

To further support this initiative in 2014, Spitzner is running a webinar session offering a step-by-step walk through of how to take your security awareness programme to the next level. The session covers key points including how to leverage the Security Awareness Maturity Model, effectively engage people, measure change in behaviours and communicate those results to management.

Registration is available via: https://www.sans.org/webcasts/securing-human-emea-generation-awareness-programs-98857

Leave a comment

Filed under Risk UK News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s