In one of his recent blogs on security, the Editor closed with the observation that “The mundane nature of the [ICO’s] ‘Top Tips’ serves to confirm that most data security breaches are the product of basic human failings and, whether designing web servers or filling window envelopes, there is no prospect of human failure going out of fashion. Data loss is here to stay.”[1]
If one accepts the truism that “there is no prospect of human failure going out of fashion” that must surely be the starting point for anyone attempting to increase security, whether they be a partner or practice manager considering the well-being of the firm or a software engineer developing the tools that we all rely on.
To put it another way, there are, according to security management jargon, three ‘P’s of security: policies, procedures and people, and of these three Ps the last is the most problematic. Policies can be written and staff required to sign that they have read and understood them (whether or not they actually have). Procedures can be designed and implemented (obviously with varying degrees of success). But what is the point of any of this if the third element, people, ignore the policy stipulations and work around the procedures in order to make their lives easier. You might discipline (or even fire) certain staff for their attitude towards the first two Ps, but how likely is that when the culprits are your major income generators, even though it is their breaches of rules that might well cause most damage to your firm due to the value of the data they create and have access to?
The trick is, of course, to avoid security breaches (by anyone in the firm) occurring in the first place. This can be tackled in two ways. This first is by changing people’s behaviour and imbuing them with a security culture. This is the business leaders’ task (partners, practice managers, etc.) and the most difficult challenge. The second is by producing technology which makes secure working an easy, and even the default, option.
Only Human
Human nature can cause security nightmares but it is, to some extent at least, predictable. This is useful as it means that we can (tentatively) forecast the positive and negative security implications of peoples’ normal tendencies. We can then decide what to do to enhance security.
It would seem reasonable to take a benevolent view of human nature as a starting point for our behavioural projection. This is the view that, on balance, most people are inherently honest, want to help each other, and want ‘to do the right thing’ – once it is explained to them, people will appreciate the need for security and wish to cooperate.
However, this positive outlook must be tempered by the reality that, for the vast majority of us, no matter how well disposed we are initially to the security cause, at the end of the day we simply want to get the job done and get on with our lives. Another (less charitable) way of expressing the same idea is that human beings are all fundamentally lazy; if there is a quick, easy way to do something we will choose that route. Thus, if the secure way of doing things does not seem natural (ie if all the rules, procedures, protocols of security seem to produce a mode of working that is awkward) then they will be circumvented.
In a way it is all about perception. Security must come to be seen merely as part of getting the job done, rather than seeming to be something artificial that gets in the way of getting the job done. The challenge is in achieving a state in which secure working is so natural that the ‘secure’ actions/procedures one follows are not perceived as special in any way but merely as steps which it would be abnormal not to take. By way of analogy, most of us do not think twice about locking up our homes when we leave for a day’s work; the security aspect of this action is almost subconscious. Likewise business security needs to become part of the culture of working, steps which one takes as a ‘matter of course’, just as looking after our personal property is a normal part of our everyday lives.
Training
Instilling in people working in a firm a security culture, when one has not existed before, requires training (and monitoring of the effectiveness of said training), adjustments as necessary, and more, regular training, monitoring and adjustment.
The goal should be a working culture that views security (and any inconveniences that it entails) as the norm and accepted, so that, rather than a person expecting some sort of expression of peer approval or amusement when he relates some incidence of insecure working, he can expect chastisement. This latter point touches on another aspect of human nature, ie the desire for acceptance from one’s peers and approval from one’s superiors. Thus if the majority, and particularly the leaders, have the security culture imbedded in their psyches the likelihood is that the rest will follow.
You can create all the policies and procedures you like but unless there is a culture of security their effectiveness is always going to be limited. Conversely, once that culture exists then unintended breaches by staff, whether or not as a consequence of negligence and/or carelessness, are bound to be fewer. (Obviously deliberate/malicious breaches are a different matter.)
Focus on Non-techies
The need for security training was noted in a recent Computers & Law article.[2] However the target for the training discussed there was technical people; engineers, programmers, etc. Arguably, however, the security inadequacies of technical personnel are easily dealt with. If the staff you have employed or consultants you have engaged to configure your hardware and/or software prove inadequate you can dispense with their services. When IT security competence is among the prime reasons for hiring an individual then such action would seem justifiable and possible.
The difficult part is in dealing with those personnel selected not for their technical knowledge but their legal, business or other acumen. People hired for these skills are unlikely to be readily ‘let go’ simply because their security expertise is lacking. Therefore it is these non-technical people on whom the training focus should be placed. However, research reveals that training and testing of non-technical staff on matters of IT security is currently highly unsatisfactory.[3]
While not offering a definitive solution to this problem what I would say is that, as with all matters which concern the well-being of the firm/business, it is for the senior staff to lead by example. Therefore they should, willingly, subject themselves to the same training as the most junior employee, and not claim that they are too busy (ie too important) or find some other reason to excuse themselves.
Mobility: Good for People, Bad for Security
The plethora of devices (mobile phones, laptops, ipads, etc)[4] that permit comfortable working away from the office means that it can be just as convenient to work in an airport, on a train, or in another public place, as at an office desk. Unfortunately the culture of professionalism that a formal office environment engenders in most people can be totally lacking when free from the physical confines of that office. This can result in a carefree attitude when in a public environment that is wholly inappropriate when conducting certain sensitive work that one sees and hears being undertaken. For example, I am sure that we have all sat beside someone accessing business e-mail that we could easily read, or heard someone discussing personnel matters on a mobile phone without the slightest concern as to who is nearby.
Thus firms that require and/or allow staff to work beyond the office must inculcate in them a security culture that will inform their actions as much outside the office as within it. Staff training is again key but its effectiveness, which is hard enough to monitor within the office, is always going to be that much harder to determine when the individuals concerned are beyond the office walls.
Conclusion
As we all know, security is something one strives for rather than attains. No system can ever be 100% secure if it is actually going to be used. Security is a matter of balance, return on investment, risk assessment, etc. and this is just as true for the people side as it is for the technical side.
Managing security is as much about managing expectations as it is about ‘managing’ in the sense of achieving a secure environment, or maintaining a level of security that you have achieved. It might be seen as making the most of an impossible situation, a situation I would suggest that can be made more tolerable by adopting the correct approach towards both people and technology.
- Attempt to shape things that you can considerably influence (eg staff behaviour and culture).
- Support the ideas of those advocating technological developments and changes which enhance security and who have the influence in the field of technology that you lack.
Alastair Morrison works at Strathclyde University where he evaluates, implements and runs IT services: alastair.morrison@strath.ac.uk
[1] Data Loss – Never Out of Fashion?
03/06/2010
http://www.scl.org/site.aspx?i=bp16524
[2] Does your firewall have an open door?
Chris James
Computers and Law June/July 2010 Vol.21.Iss.2 pp21-31
[3] Security – policies, processes and people: How much is good enough?
Andrew Buss
29th June 2010
http://www.theregister.co.uk/2010/06/29/policies_processes_people/
[4] Mobile Madness
Martin Telfer
Computers and Law June/July 2010 Vol.21.Iss.2 pp8-9