First defence

Employees should be the new line of defence in any cyber security strategy, says a new report from PricewaterhouseCoopers.

“What is required is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against continued investment in technology.”
-Craig Lunnon

Many organisations are worryingly complacent when it comes to information security assuming that 'it won't happen to me,' while individuals often tend to think that it is someone else's problem. However, a new report from PricewaterhouseCoopers LLP (PwC) examines cyber security and explains how organisations should be making employees the first line of defence against damaging security incidents. Security awareness: Turning your people into your first line of defence suggests that the response of organisations to improving protection and reducing risks has historically been strongly biased towards further investment in technology. In essence, they have been solving what are perceived to be technical issues with technical solutions.

Craig Lunnon, Senior Manager of OneSecurity at PwC, thinks this approach is misguided. "Technical solutions are too frequently being prescribed for people problems. Although technical defence is vital, systems are inherently vulnerable to both negligent and malicious acts by people. Ignorance, confusion, anger or even curiosity can all give rise to incidents."

While the argument to change behaviour is applicable to all sectors, financial services should expect to see a better than average return for a number of reasons, says Lunnon. First, the sector is traditionally a high spender, which creates an opportunity to optimise the investment. "All parts of the sector from retail banking to investment banking rely on high levels of client trust. Loss of reputation has an immediate and sometimes fatal impact on organisations in this sector," he explains, going on to say that second, the financial services industry employs bright people and expects them to think for themselves, but traditional approaches often seek to limit rather than enable.

The Security awareness report considers whether information security has currently looking at the right focus, and is backed up by PwC's 2010 Global State of Information Security Survey, which shows that only 48 percent of organisations questioned in the UK have an employee security awareness programme, falling behind global leaders - the US (64 percent), India and Australia (59 percent).

Efforts to improve security often create cumbersome processes that get in the way of people doing their jobs. Consequently, they can be tempted to by-pass security controls, so the human element of technical solutions often diminishes the desired effect. What is required, suggests the report, is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against continued investment in technology.

The difficulty large organisations often face is that security functions tend to be autonomous, fragmented and isolated while ignorance can provide a false sense of security among a workforce. PwC recommends that better engagement between security teams and the business is needed as well as higher levels of engagement between organisations and employees.

The solution is to invest in people. Make them the first line of defence - rather than the cause - of security incidents. Thus, the return on investment from a strategy that leads people to exhibit new behaviours around information security will exceed misdirected investment in technology-based solutions. "The goal is that all those working for an organisation are alert to risks, will want to act to protect information and will be actively supported in doing so," says Lunnon. "As the first line of defence, security-aware employees are often best placed to identify a potential breach or weak link. Equally, they can prevent and reduce the impacts of incidents when they do occur."

While Lunnon is not arguing for a 'one or other' approach, he is hoping that a more balanced approach will be enabled by ensuring employees are aware of security risks. Using an analogy, Lunnon explains, "When are teenage children start driving we look for the most appropriate and safest car we can afford, as well as help them find a decent instructor. This is a balanced approach to risk. In information security terms this means developing the most appropriate technology solutions, but accepting that ignorant, negligent, malicious or even plain over-enthusiastic use of this technology can still result in damage to the organisation."

Using employees as a first line of defence allows an organisation to set out how it wants its people to behave and develop interventions and controls that will deliver measurable change. It also highlights the potential issues with traditional approaches. "In the financial services sector people are paid to think for themselves and to manage risk for themselves within set parameters, so how would you expect someone to respond to having their access to the internet constrained at work? A significant proportion will find a way round the barriers and place the organisation at increased risk. An alternative might be to raise awareness of the risks, provide a source of up to date information on these risks and then trust them to manage the risks for themselves within given parameters, and with appropriate sanction if they don't," suggests Lunnon.

There are of course challenges involved in making employees the first line of defence in terms of cyber strategy. Lunnon explains that traditional approaches tend to come out of a control or compliance mind set and mitigate risk by tightly controlling employee behaviour - even where awareness campaigns are put in place, this is often to satisfy regulators or internal compliance requirements. Although organisations are required to meet regulatory or internal compliance requirements, they need to break out of this way of thinking about information security or the bigger picture will be missed.

"With all due respect to those engaged in this work, information security often falls to a senior manager within the IT or risk function who might lack appropriate influence with the rest of the business. Unsurprisingly, the solutions put in place tend to be tactical rather than strategic. To make employees the first line of defence requires a shift in culture and this needs executive sanction and support along with the involvement of a broader group of influencers across the organisation. Securing such support and engagement is a challenge."

Changing behaviour is not a black and white process; there are extensive grey areas that are multi-faceted, complex and on-going. And most organisations tend to take action before they are clear on the direction they are seeking to travel and how they are gong to measure success. "How many times do awareness campaigns rush into creating intranet sites, running workshops and briefings and tracking staff attendance only to report no sustainable impact on the level of breaches or other issues?" asks Lunnon. "By taking the time to articulate what is expected of staff and how changes in behaviour from a known baseline can be measures, businesses have a framework to critically appraise plans and then measure impact on an on-going basis."

Given the increasingly high profile reports on data loss, credit card fraud and internet hacking, it is clear that having a solid cyber security programme in place is key in good IT security practices. By ensuring that employees are at the heart of this, it will underpin the organisation's approach to security and maximise protection.

Security awareness
Investment in security awareness measures pays for itself many times over and can help in:

• Reducing incidents of theft, loss and fraud
• Avoiding breaches of law and/or regulation
• Ensuring continuous availability of business-critical information
• Protecting brand and reducing the potential for reputational risk
• Enabling the use of security as a positive marketing differentiator