From hacks against eBay to Russian internet forums with millions of stolen credit card details available for just a few pence each, the scale and scope of cybercrime is simply breath-taking. Last year alone according to MacAfee, a security company, IT security breaches cost the global economy $425 billion.
However, the true extent of financial losses to private companies is hard to judge as many breaches are simply brushed under the carpet aided by a lack of mandatory disclosure laws. James Lyne, Director of the world’s largest information security training organisation, SANS Institute takes a look at the biggest security risk – human nature.Closer to home, the UK information commissioner has taken to naming and shaming public organisations that have allowed lax security to result in breaches. Browsing through the list of incidents it is clear that one of the most common causes of security breaches is not Tom Cruise style “Mission Impossible” elite criminals but simple human error. “Most of the time when you speak to staff following an incident the initial cause might well have been somebody just trying to get a job done, often something that they believed would help the company,” says James Lyne, SANS Instructor and a security expert who has worked as both security tester and advisor to the public sector and organisations both big and small. “It could be something as simple as creating a collaborative space like Dropbox to share files, lending a colleague a password or acting on a seemingly innocuous email request.”
Lyne suggests that people in general don’t have the same level of scepticism online that they do in the real world, “If a ‘prince’ walked up to you on the street and asked for your bank details so he could transfer a million pounds as your cut of a £50 million inheritance for which he needs a UK bank account…, most people would just keep on walking. Every day, these type of spearfishing attacks are still finding victims.” However, Lyne does point out that technology has not made it easy for the non-techie as it is hard to judge which types of files or websites are unsafe. “We are taught from an early age to look left and right before crossing the road and that dark clouds might mean rain. Not many people are told that clicking on the .EXE file attachment in an email claiming to be a new security update from your online bank is not a good idea,” he quips.
Lyne who teaches several cyber security courses for the SANS Institute believes that organisations and particularly HR managers should take a leaf out of health and safety best practice when it comes to information security. “Health and safety law has been instrumental in helping to improve conditions in the workplace and failure has known consequences and remediation actions,” he points out, “If you look at information security, we are starting to see similar legislative frameworks forming in several vertical markets, within public sector and at an international level”
Probably the best known standard is the Payment Card Industry Data Security Standard (PCI DSS) which is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Set up in 2006 by the major payment card brands including Visa, MasterCard and American Express, the evolving standard aims to enforce security best practice along with continual audit to improve payment account security throughout the transaction process. More recently, in March the European Parliament passed the draft Network and Information Security (NIS) directive. The purpose of the draft directive is to establish measures aimed at ensuring a high common level of network and information security across the Union. In order to do so, the Member States, the key internet service providers and the critical infrastructure operators will become partners in the obligation to ensure the security of the network and the information.
Although legal and national frameworks are important, Meagan Tudge, Manager for SANS’ Security Awareness division believes that the 25 million businesses across the EU should be the focal point for changing human behaviour when it comes to cyber security. Tudge sees a correlation between the educational process, communication and wider understanding of best practice. “Many organisations struggle with defining and communicating Information security policies and it can sometimes turn into a checkbox exercise where employees must read and sign but don’t actually understand why or feel any affinity to maintain a vigilant and best practice posture.”
Tudge suggests that organisations could equate it to a wider view where teaching employees that Infosecurity should be a lifestyle position. In her experience, a message that says the same organised criminals that are intent on breaching corporate security will use the same tricks and traps to gain access to sensitive information at a personal level can help turn security policy into a much more compelling message. “It is not just good communication, it is absolutely true and with the rise of teleworking and Bring Your Own Device polices (BYOD), hackers are now targeting individuals outside of the workplace to try and gain indirect access to remotely connected systems,” she adds.
In her role at SANS, Meagan Tudge is Manager, EMEA, for SANS’ Securing The Human training program, which provides a high-impact information security awareness program for organisations across Europe. Organisations are now including information security awareness training as an integral part of their annual all-employee training program. It makes sense from a financial, risk and compliance standpoint to ensure that employees are aware of the danger of cyber security attacks and that they understand how they can help prevent such attacks.” Lyne also agrees that as the dependency on IT rises, across both business and our personal lives, the educational remit will become an absolute necessity. “The younger generation is far more technologically savvy but an understanding of what is safe practice in terms of information security is still missing from most structured ICT courses – this is starting to change but it is a slow and uneven process. If society is to collectively reduce the impact of cybercrime then we all need to take responsibility and the first step is a little bit of education to stop the human remaining the weak link.”
SANS Securing the Human program contains all the materials necessary to deliver a high impact security awareness program. The series of video modules, multiple choice tests and support collateral are designed to ensure that the program goes beyond simple compliance and instead focuses on changing human behaviour.
