D ATA S E C U R I T Y
xxxxxxx
IT Security Best Practice
Trained to Protect
By Steven Sims, Course Author and Senior Instructor for the SANS Institute.
Introduction
Steven Sims outlines
the importance of
security awareness
training
Organisations are under constant
pressure to strengthen IT security. The
drivers include a tougher regulatory
environment as well as the potential
damage to reputation from a security
breach. Yet formal IT security training is
patchy at best. There are few mandatory
requirements for IT awareness in
comparison to the mountains of health
and safety legislation, which means
organisations need to become more
proactive in delivering the training
and skills needed to better secure their
environments.
Ready for the Breach
Based on the available evidence, it
is extremely likely that every large
organisation will experience an
information security breach at some
point in time. This hypothesis is
supported by research carried out by
PwC and the Department for Business
Innovation and Skills, which estimates
93 per cent of large organisations in
the UK had a security breach in 2013.
The threat is increasing with the rise
of more interconnected networks and
newer trends such as cloud, teleworking
and Internet of Things distributing
sensitive digital data to more locations.
According to the influential Data
Breach Investigation Report (DBIR),
which has examined over 100,000
security breaches over the last decade,
81 per cent of the incidents can be
described by just four root causes;
namely miscellaneous errors (27 per
cent), insider misuse (19 per cent),
crimeware (19 per cent) and physical
theft/loss (16 per cent).
The biggest factor ‘miscellaneous
errors’ is, according to the report, simply
any mistake that compromises security.
The main threat comes from human
error, such as accidentally posting
private data to a public site, sending
information to the wrong recipients,
or failing to dispose of documents or
assets securely. However, lack of security
awareness also has a part to play in
insider misuse, physical theft and lost
incidents. According to the report, not
only are insiders misusing systems, but
they are culpable by issuing partners
with unnecessary security privileges that
in turn lead to breaches. Theft and loss
incidents including laptops, USB drives,
printed papers and other information
assets were not just confined to taxis and
trains, worryingly the report found 43
per cent of these losses occurred within
the workplace.
For example, a common risk most
organisations face today is phishing.
This is when cyber attackers craft an
email attack that tricks an employee to
open an infected attachment or click
on a malicious link. In an untrained
organisation 25-50 per cent of people
commonly fall victim. However in a
highly trained organisation less than 5
per cent would fall victim to the same
phishing email. Even better, that small
percentage that falls victim are far more
likely to report the incident to their
security team, greatly improving the
response capabilities and reducing the
harm.
The reason most organisations fail at
changing their employees’ behaviour is
due to how they communicate to their
people. Highly technical people, such as
security analysts or IT administrators,
often run security awareness programs.
While these individuals understand
security, they often lack the skills or
training to effectively communicate
to a large group of people. They also
tend to view security problems from
only a technical perspective. Security
A lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.
18 NETCOMMS europe Volume V Issue 5 2015
www.netcommseurope.com