A secure business is one where the need for security is fully understood by everybody in the organisation, is designed into all processes and embedded into decision-making. This contrasts with the traditional view that leaves security to the IT department.
Building a culture of security starts with the chief executive driving the change from the top down. “It is essential that senior management do not just talk about security’s importance, but act as role models and demonstrate the behaviours they want their employees to adopt,” advises James Alexander, cybersecurity partner at Deloitte.
Then, from the bottom up, human resources must educate users; IT must design security into systems at the outset and provide appropriate access and alerts; and managers must manage risk by understanding which data is most important to them and constantly ensure that it is properly protected.
“If you want to build secure applications you can depend on to do things you care about, you need a security architecture mindset before you start development,” says Professor Kevin Jones of City University London. “It is a different mindset to the current app culture that just throws something together that ‘sort of works’. Security testing must be built into the budget, alongside functionality testing.”
Research by SecureData Europe, a supplier of secure networks, found that that most breaches use simple and avoidable techniques that have been around for years, such as cross-site scripting and SQL injection. Etienne Greeff, its professional services director, advises educating developers in the common methods of attack, how to guard against them and how to develop secure internet applications. He recommends using frameworks, like the free Open Web Application Security Project (OWASP).
“People aren’t even getting the basics right at the moment,” he says. “Security is not embedded in the business process and is always an afterthought. It is a lot simpler to build security from the start than to bolt it on afterwards.”
Security is a different mindset to the app culture that throws something together
Employee behaviour must also be changed. According to research by Deloitte on the top five security threats, the third was employee errors and omissions (20 per cent of respondents) and the fifth was employee abuse of IT systems and information (17 per cent). Other research, by Quest Software, a systems management software company, shows that 42 per cent of professionals regularly compromise data security, not out of malice, but for an easier life.
“Most of the time they are thinking about how to get the job done in the quickest way possible and are unaware of the importance of the information,” says Kevin Norlin, Quest Software’s general manager. “If employees are constantly turning to online third party applications, writing down usernames and passwords, or using USB keys or smart phones to transfer information, it suggests that internal tools are not effective. Instead of preventing such behaviour, IT should securely incorporate similar services into their infrastructure through an internal web store.”
Employee training in security should be driven by the human resources department, adapted to cover all employees, from the board down to maintenance and cleaning staff, including the employee handbook and recruitment and induction processes. “It is not done 90 per cent of the time,” says Mr Greeff. “Half an hour invested in HR training will pay massive dividends.”
This should include making them aware of the threat of social engineering. With social networks, much more information is available to target them personally. They should not just be cautious of messages from strangers, but attachments and links that appear to come friend colleagues and even their boss.
Changing user behaviour could start by teaching them how to be secure in their home computing, says Quentyn Taylor, director of information security at Canon Europe. “Those good practices will then be brought into the workplace,” he says. “Many people even suggest that security and digital citizenship should be taught in primary schools.” Then, controls and alerts must warn and help employees before they contravene company policy.
Ron Faith, chief executive of Datacastle, a data security vendor, says that a security strategy that depends on employee behaviour will fail. “Employees are responsible for getting their jobs done, not being data police,” he says. “You need automatic data security that stands as a silent guardian and is frictionfree for the user. The more security impairs the user, the more likely they will try to get around it to perform their job.”
Lastly, business managers must take responsibility for their data and constantly assess the risks to it. They should actively participate in security governance, such as the Information Security Forum’s framework. They need to define the level of access each user should have and be involved in design of system alerts and warnings. Security professionals must replace terminology such as “intrusions, breaches and incidents”, and use business language, such as “risks and potential losses”.
“Security must be embedded in the way we live our lives and run our businesses,” says Nick Colman, global cloud security leader at IBM. “Security thinking and processes must be in everything the company does, as part of its daily life.”