People: Most Important, But Weakest Link In InfoSec Chain

How much would you pay to buy a seat-belt, were it not required by law? Answers to this question (at least to the few folks that I posed it to) range from ‘Nothing’ to ‘Rs. 500’! A great value to put on your life, isn’t it? Someone said that people would pay more to watch dancing pigs than on their security. Perhaps it is true. Security, to most of us, is that distant, over-hyped syndrome that affects only other people. After all, we routinely find ourselves in long metal cylinders hurtling through the skies at the speed of sound, carrying a thousand gallons of extremely inflammable fuel and relying on over a hundred thousand moving parts built by the lowest bidder! What could be a bigger security risk than THAT? And yet, here we are, reading about it…

Our experiences and attitudes to security in our everyday lives determine our perspective on information security in the workplace. This is the perspective we bring to work, and it guides us in our handling of myriad situations each day. The point here is that concern for security is very intrinsic to our behaviour – if we do not regard it as an important enough factor in our lives, it is unlikely that we will give it due importance when it comes to data at our workplace.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

Successful enterprises invariably adopt a well-thought-out and proactive approach to managing information security, in matters relating to their customers as well as corporate affairs. The question is, what does it take to weave information security into the fabric of the organisational ethos, as a means to attain sustainable long term business value?

Building A Security Culture

I recently read in the newspaper about a credit card fraud perpetrated by some young employees of a prominent call centre in Gurgaon, engaged in providing marketing services to an international client base. Not an isolated piece of news, unfortunately. The question that many of us would like to ask is, could the organisations concerned have done more to protect their clients’ privacy from the threat within? The good part is that while such incidents do occur, they are not rampant, and obviously this points to a degree of awareness and efficacy, if not infallibility, of the measures undertaken by most companies.

The bad news is that while most companies do have systems of accountability and controls in place for, say cash transactions by employees, partners, contractors, they still do not have the same stringent rules for information assets. Even in this Information Age, it is disconcerting that we tend to undermine the value of information, and gloss over the potential for its misuse. This is not, one hopes, a result of fraudulent intent (at least always), but of collectively unenlightened security behaviour, whose potential for havoc has been grossly underestimated.

Policies Alone Not The Panacea To Security Woes

Today, we measure information mostly in terms of its volume, and not its value. An acceptable security culture requires that every employee, across levels and functions, pledges to recognise the value of the information that he comes across and makes it part of his/her intrinsic behaviour to protect it from misuse. Most organisations do have an information management policy in place which everyone is required to sign up to, but obviously this by itself is not adequate to make information security part of the organisation’s DNA.

Companies feel safe and secure in the knowledge that they have appointed a Chief Information Security Officer (CISO) and are thereby assured of full security compliance at all times by all people. Nothing could be farther from the truth. A CISO lays down the norms and processes, prescribes the right security frameworks, imparts awareness about information security through periodic refresher programs, prepares and implements the roadmap for the organisation’s security journey - and the like. But no CISO can usher the security culture that is mandated by today’s information revolution, where each of us, at every waking instant, can directly or indirectly gain access to unprecedented amounts of sensitive information.

There has to be built-in sensitivity and situational awareness that transcends all triggers and temptations. In most cases, this is related to trust in the employee, which makes many organisations stop in their tracks. Most companies spend millions in building and hardening their perimeter security, firewalls, and digital fortresses but in the process ignore the threat from within. It is not about mistrusting employees. A lot of breaches happen inadvertently, or out of ignorance. Most often, employees are completely unaware of the consequence of their seemingly innocent actions.
Building a sustainable security culture requires across the board effort in creating an awareness of security risks and an appreciation of the value and sensitivity attached to information that passes through the hands of each employee. Tools such as authentication, Identity Management and encryption do play a role but do not substitute inborn awareness that is repeatedly percolated down from top management. This awareness means that each employee recognises the importance of the information the he or she is entrusted with and deals with it with uncompromising care – which includes isolating it from friends, family and associates, however compelling or tempting the alternative may seem.

Frequently Overlooked Aspects

Be Aware Of The Threat Within: Many companies spend a significant amount of effort and money on hardening their perimeter security – building impenetrable firewalls, multi-layer security protocols for their LAN and WAN, setting up probes to detect malware, and the like. Which they well might, as tradition dictates that attacks from outside must be defended. The problem is that in the process we tend to ignore other equally potent threats which are today the cause of much more grief than vulnerabilities in the fortress.

A Sustainable Security Culture: As we already discussed, a sustainable security culture that makes security everyone’s concern is a pre-requisite not just for secure IT environment, but for business competitiveness. Yet it is one of the most frequently overlooked aspects of security. Most organisations tend to take corrective, rather than preventive, action. Awards for safety and security are common in manufacturing units, but it is rare to see IT Security Awareness awards in most companies’ R&R functions.

End-point Security: End-point security is another overlooked aspect of security. When we move in metro or local trains, buses, planes on our regular commutes or business travel, we carry years of sensitive company information in the form of files and emails on our laptops, smart phones or BlackBerrys. The over-riding thought in our minds is the loss of the physical device, which we tend to squeeze tighter under our armpits. In the process we do protect the data as well, but yet the appalling risk of high volumes (and value) of company information traversing through the city (or country) on individual devices is not recognised for its full potential for damage.

The DLP Factor: I heard of a case where an employee had been copying sensitive documents on a personal hard-disk just days preceding his resignation from the company. It was later learnt that this gentleman had left to join his company’s biggest and closest competitor. It was too late to do anything other than weak protestations based on the original employment contract. But it was too little, too late. I am sure such instances are not common, but even one such case is enough to bring an organisation to its knees. Yet we often overlook the aspect of data loss prevention, primarily because we tend to relate it to trust in the employee. I am an employee. Yet if I have to abide by a rule that restricts copying or distribution of company information, I will most certainly respect it. After all, I am not allowed to distribute the company’s cash or capital assets but that doesn’t imply a lack of trust in me. Why should the same not hold for valuable information assets? This is yet another overlooked area of information security whose potential for damage is either not yet understood, or simply ignored.

Tools And Tech Can Only Do So Much

To conclude, let’s go back to the opening remarks in this article about putting a value to a seat-belt. The fact is that we do value our lives – irrespective of the value we place on a seat-belt, a proven life saver. But the point here is that we do not envisage our becoming victims, or being in a situation where a seat-belt would indeed be a life-saver. Similarly, most of us do appreciate that breach of information security could be catastrophic. But we assume it won’t happen – at least to us. That’s the mistake most of us make and realise it too late.

Tools and technology can only do so much. The most important, and at the same time the weakest, link in the information security chain are people. Awareness, enlightenment and education are the best protection against security threats. A culture of security – which promotes automatic and intuitive grasp of security risks and threats, which empowers people to take action and most importantly, where people are trusted with information and assets – can do a lot more than technology can ever do. Technology is like a lock – it is outside the door, and can be picked. A deep-rooted and widespread security culture on the other hand, is the key that unlocks the combined power of the entire organisation to fight and win against all threats to its security and business.