How strange that after all these years CISOs are still worrying about their users being the main culprit in causing security breaches and ruining all their best laid plans! It seems that, even with the best technology in the world, if your users don’t respect the information they’re working with it can all go pear shaped.
At the Eskenzi annual IT security analyst & CISO forum, which happens every June, we get a dozen internationally recognised CISOs to talk about their niggles and concerns; and it amazed me that after 17 years of being in this business, user awareness was still top of everyone’s agenda. They can cope with the problems of security in the Cloud and on their users mobiles, external hackers are obviously a pain in the backside, as indeed is nasty malware and state on state sponsored attacks, but these all seem to fade into oblivion when their key concern time and time again is how do you get your users to respect the information they work with? Without their buy in or understanding, the information they work with seems to haemorrhage out of the organisation and is borrowed, sent, lost, stolen or magically lands in the hands of their competitors.
Interestingly Amar Singh, CISO of News UK (formerly News International)and head of the security group at ISACA, thinks he may have found the answer to user awareness – rather than expect your staff to sit and stare at a screen for boring electronic awareness sessions, engage with your staff, teach your staff to respect and protect their own personal data and they will learn to respect the information they work with at work! ! I’m not allowed to use the word data around Amar – you must always refer to the data you work with as information. That way users respect and value it far more. He recently had a series of nonobligatory employee engagement sessions, where an amazing 350 people showed up, where he shared with them tips on how to protect their personal cyber lifestyles, their personal information from cyber attackers. It had a great knock-on effect in the work-place.
Once you engage your users about how their information online is vulnerable to hackers, exploiters and of course thieves then, hey presto, you’ve got them – they start to become security savvy and far more respectful of all the information they deal with. This is borne out by a lot of research that PhishMe has recently carried out – Rohyt Belani, the CEO at PhishMe, emphasises the point time and time again that, if you can get your users to understand about phishing attacks on their own personal data, then it means that they become far more savvy and respectful in the workplace. Many of their simulated phishing scenarios therefore play up to this psychology.
Other challenges that seem to keep our CISOs awake at night are concerns of institutional inertia, skills shortages – especially out of London, hacktivism raised a few concerns and whether we should get rid of passwords was also debated for quite a while with no-one really coming up with any great alternative – so guess what they are here to stay a lot longer.
Big Data was another hot topic, being the buzz word of the day or could it be the year? – In fact, in June it actually made it into the Oxford English Dictionary – guess what the definition is? “data of a very large size”.