4. The Root Cause 48% of Breaches Were Caused by Insiders - Verizon 90% of Malware Requires Human Interaction - Symantec 100% of Successful Attacks Compromised The Human - Mandiant 64% of Orgs See Security Awareness As a Challenge - E&Y 2010 3 times as many breaches are caused by accidental insider activity than malicious intent - Open Security Foundation
All these companies have been very publicly breached creating headlines around the world
The common theme across those companies is that they were the victims of what has been dubbed the Advanced Persistent Threat.Each of these companies have very active and large security programmes in place
So why were they breached?While each of the breaches may have involved some cool hack, such as a 0 day exploit (or oday for our American friends), the common denominator across them all has been each breach involved human interaction to facilitate the attack.The Google hack was the result of an employee clicking on a link embedded in an email. This link brought them to an infected website that used an exploit within IE6 and providing the attackers with a foothold within Google. Now why Google was using IE6 rather than Chrome is another issues The RSA hack was the result of an email with an MS Excel spreadsheet attachment which when opened exploited a vulnerability in Adobe Flash – which again gave the attackers the foothold they needed.
So obviously people are the weakest link
So why are these attacks so successful.Are your fellow workers Stupid ? They must be if they are gullible to these ruses?
People are the weakest linkOr maybe they just are lazy and don’t want the hassle that security brings into their lives
Perhaps they are so arrogant and cocky that they think that They will never fall for a scamThey are too important to worry about information security, that is IT’s job.They are too important to have their work interrupted by security
Perhaps they choose to ignore the risks.After all it is not their problem
Or simply they may not care.After all it is not their job to worry about security, they have other things to be worried about.
But mostly they are just trying to get their job done.Most people are quite busy surviving their day jobAnd in this current climate, surviving is all they care about.Their focus is on their job and not necessarily on security. Whatever it takes to get their job done, that is what they will doThey will often view security as an obstacle to how they get their job done.They not only have to worry about information security, but they also have other programmes they need to keep up with;Health and SafetyEthicalProfessional DevelopmentCompany policiesHR Issues.
So if people are the main issue then surely that is where most of our security investment is going?The opposite is throughA recent survey by Gartner shows that information security budgets in companies with a MATURE information security programme in place spent approximately 10% of their overall IT budget on information security.Of that 10%37% is on Personnel, salaries etc.25% is on software20% is on Hardware10% on outsourcing services9% on consulting, which includes sec awareness training.
If people are the main cause of breaches why are we spending so little on security awareness?Clearly our focus is in the wrong area.So it is important to not only revise where we spend our money but more importantly that we spent that money wisely
The content of many security awareness programmes can be very boring to the ordinary person.While we may find information about viruses, exploit, hacks to be riveting stuff – in reality it reduces most people to glazed out drooling zombies who would rather be thinking about something else. Often the content is boringThe trainers may not be knowledgeable enough about the topic, or indeed may not be good trainers. You may be an excellent security professional but can you engage an audience on something they do not care about?The delivery mechanism may be wrong.Online courses can often be ineffective if not addressing the core needs of the audience or is viewed as a game to see who can answer the questions as quickly as possible
Most security awareness programmes fail because they fail to meet the deliverables, if they are deliverables defined in the first place
Many security awareness programs are simply there to fulfil a compliance requirementTherefore the cheapest solution to meet that requirement is what is selected, rather than what is most effective.On a more individual basis some companies think that by Coercing people into completing their security awareness as part of their annual review is the way to get it done
A big failure is programmes not being relevant.How many people in this room who have taken security awareness programmes that refere to laws or regulations not relevant to them? E.g. US laws.
Others fail because they do not measure how effective their programmes have been.Often no benchmarks or goals have been identified t measure the success of the programSo when looking for additional budget or to re-run the programme it is hard to prove to management what the return of investment or success rate of the programme has been
But mostly we simply select a solution and hope for the best
So how do we go about securing the nut between the keyboard and the screen?We need to develop a solution that is continually improving itself over time as our needs changeSimilar to the Plan Do Check Act cycle within ISO 27001 and other quality standards.
Get Management SupportNot just on paperActive participation
Be preparedIdentify the business needs of your organisationHow disperse is the audience? Are they spread over remote offices.Have you got remote workers to consider?Technology Profile Of Users IT vs. End Users Profile of UsersManagersMobile Workers
What are the Organisational Phycology/Motivational DriversIdentify the audienceDifferent content for different profilesWhat are the drivers for each group, e.g. sales v HR v AccountsTiming of courses to fit in with business needs. Don’t schedule the course for sales at the end of a quarter when they are focused on meeting key sales figures.What will be the age/social profile of the audience? Young and tech savvy or old and techphobic?
You will need budget to do run your program
It should be a set budget and not what remains over from the IT security budgetTry and get an annually allocated budget
Delivery MechanismsClassroom/lecture StyleWorkshopIntegrated in Induction TrainingWeb BasedRole PlaysGamesInternal vs. External MaterialWhat Are the Main Differences?Internal vs. External TrainersWhy Choose One Over the Other?
Size of OrganisationsHow Many Locations?International IssuesRemote WorkersWhat are the Drivers?Regulatory?Good Practise?
Provide a hook for the audienceE.g. computers at home, impact of information loss in real terms
On-going CommunicationUse Expertise Elsewhere in CompanyMarketing DepartmentHRPR DepartmentTrack AttendanceSeek Feedback
ReinforcementPostersMouse matsLogin MessagesRegular TestingCould be Integrate with Annual reviewsSpot Checks/Tests
Monitor Success of ProgramMonitoring ToolsTestsEnd of SessionOn-going TestsFeedback from AttendeesFeedback from ManagersBudgetOn Target?As % of Overall Infosec BudgetAttendanceDid All Employees/Depts Attend?Is there a pattern?Did Program Complete on Time?Ideally Try to Benchmark BeforehandIncrease/Decrease in IncidentsParadoxically reported incidents will rise after a courseIncrease/Decrease in Password ResetsIncrease in Visits to Intranet Site for InfosecTrend in Lost Laptops & Mobile Devices
Review Regulatory RequirementsChanges in TechnologyMobile TechnologiesSocial MediaChanges in BusinessMergers & AcquisitionsNew MarketsChanges In Staff Profiles/KnowledgeDon’t give same course to same people repeatedlyChanges in WorkforceFull Time vs. Part TimeRemote and Teleworking Employing New Locations