I had one of those weird circular chats with my Mum the other day. She totally point blank refuses to use an ATM. Unless she can see the ‘whites of the eyes of the person’, dishing out her cash she won’t use them. ‘Honestly darling, they must get backache in those pokey spaces’. Me: ‘Err Mum, it’s a machine, there is no person getting backache inside it’. Her: ‘Exactly, if I can’t trust a man with no eyes, I am hardly going to trust a machine now am I…’ I think it was oratorical.
If you were at Info’ Security at Earls Court last week, the ‘man in the machine’ was a very real concept. All those experts visiting from Texas, who had many stories of men invading our machines, would have had a marvellous, albeit solipsistic, conversation with my Mum.
Firstly I hate the term ‘cyber-threat’ or cyber-security’. Even though I have used it in a previous blog. It’s just easier to use the phrase so everyone understands what we’re on about, (and frankly, so does Google).
Secondly, I have to get something off my chest…I really am over the scare tactics used by the American security experts (Think Daily Mail journalism of fear). Such were the levels of anxiety in the conference rooms, I just wanted to shout ‘BOO’ really, really loudly. Sorry.
It felt at times like we were in Die Hard 4, just waiting for the whole US infrastructure to go offline and bring us to our knees. And naturally they would all cast themselves as John McClane…
There is no doubt that security is a major threat to both public and private sectors around the world. Who can forget the big Sony hacking disaster, resulting in the theft of personal data from a 100 million customers. The loss of brand credibility, loss of customers and loss of revenue is still being felt by them. And while the internet counts for 6% of the UK’s GDP (more than agriculture and utilities) cyber-crime now costs the UK economy £27 billion. A year.
Just like me, most folk think it’s never going to happen to them. And they also think the majority of cyber threats comes from the outside not inside their organisation. Levels of security investment would reflect this. From my notes at Info-Sec, the investments ratios are staggering. While 80% of global organisations invest in security, only 30% of them are investing in the security threat posed by their employees. Meanwhile only 2% of them are spending equally on both.
Is it that the insider threat is therefore the less prevalent threat? I think not. And as I have previously documented it’s because you can’t get stakeholder engagement on the import of this stuff, so the statistics are aren’t reported. According to the Verizon Data Breach Report only 4% of insider breaches were investigated last year. As the report says, that doesn’t mean it’s not happening.
The threat from within, is usually unintentional, but no less benign. As organisations get more and more mobile and always ‘on’ with their technology, the threat increases. My husband has been given an iPad, because he apparently needs one for his job (read, senior management toy). It’s great, he brings it home every night and weekend and gives it to our 7yr old to play games and download his football related apps. Hmmm.
The technology department tried to lock it down from the corporate network out of working hours, however that went down like a cold cup of sick. So they retreated. Leaving them a little wider open for the ever increasing threat of attack on our networks.
As with anything related to the technology and the business, the effective defense against all of this stuff is to really understand the aims of how the business currently work and the prevailing culture of the eco-systems within it. It’s not going to be effective to roll out a whole load of technology solutions to guard against attack in isolation of the business. Especially as they wouldn’t understand what the potential security breach might look like and how they might contribute to it.
And why would they.
There are loads of companies all trying to sell us technology to combat the insider threat. However I wonder if a more holistic educational approach might be more cost effective in the first instance.
If we understood the risk of our children downloading applications to our corporate devices, using Skype, or using non-enterprise file sharing solutions, then we might make an informed choice about how and when we use them in the future. Wouldn’t we?
We in the technology department, can partner with HR and Facilities for a softly softly approach to this also. For example, Integrity checks on new employees. Proper induction, Pull printing, so sensitive documents don’t lie around on printers, clear desk policies for the same reason, to name but a few initiatives. I could go on. (And if you want to hear more about the workshop I do on this, please do get in touch).
Firstly, however we should perhaps start with the Service Desk folk. They are often at the front-line of enforcing this stuff and have the most day to day contact with the business to be able to continue to educate. Further, many times they are often not empowered to understand the reasons why governance around this is so important. Sadly they end up with very frustrated customers when they just say ‘No’ because they are told to.
They next time we groan about a senior managers personal printer running out of toner, we might be able to empathise, understand the bigger picture, and carry on the holistic education to the business in the bigger security picture. Thereby gradually shifting and reinforcing a new security conscious culture.
Lastly, I’ll leave you with this thought. My oldest friend works in an highly commercial organisation where hot-desking is the norm for everyone, regardless of stature. She thinks Facilities provides a brilliant service of shredding all paper left on desks at the end of the day. So she never has to tidy her desk ready for the next person to hot-desk. ‘Genius’.
I couldn’t help my wry smile…