This article focuses on two basic aspects of a good security practice – assessing risk and creating a good security awareness program.
The Good Ol’ Days
Before we had widespread internet access and robust networks, securing data was focused on the physical realm. Fences, heavy doors, locks, security guards, shredders, and alarms were among the tools used to keep paper records from being stolen or misused. Back then it wasn’t out of the ordinary for a business to require its employees to take a “safety procedures” class or to attend training on how to secure the papers, grade books and items of value to the school, e.g. “Destroy the mimeograph stencil when you have finished making dittos.” (Yes, I remember the pungent glue-like aroma of the “dittos”, and yes I am dating myself.)
Today we still have the physical security to be concerned with, but we also now have digital records to protect, millions and millions of them. While no single article on data security could cover all of the aspects of protecting that data, one aspect can be highlighted and is a practice that was used in the previous era to protect physical assets. I’m referring to training and specifically security awareness training.
According to IBM’s Cyber Security Intelligence Index, 95 percent of all security incidents involve human error. 95 percent! The range of mistakes runs from clicking on an attachment or a link in an email causing malware installation to users sending sensitive documents to unintended recipients. The human interest factor is also being exploited by attackers and uses social engineering techniques to get people to do something they ordinarily wouldn’t.
The cost of a breach can be high depending on the severity and is rising yearly. According to a Ponemon Institute analysis from 2013, out of nine surveyed countries, US companies are among the top two most costly when it comes to data breaches. The US also holds top spot for breaches that resulted in the greatest number of exposed or compromised records. Why? Cyber criminals prefer to fish in the pond with the most fish, and there are ample distractions to keeping security top of mind (if it comes to mind at all).
Schools are like many other businesses when it comes to scarcity of resources and dollars to spend on IT and specifically security. Where do we spend it? Technical tools, more sophisticated firewalls, denial of service appliances and dozens (even hundreds) of “gotta have this” solutions await. However, there is no “technology panacea”, no “big black box” to install between your staff, faculty, students and the internet.
What Are Your Risks?
To start with a good foundation, yes there are some basic technology must haves, things that if you don’t have them, you should focus there first. But it all starts with understanding your risks. What ARE the highest risk elements of your environment? For example, if you do not even have a basic packet-filtering firewall, and instead depend on just a router to hide your internal IP address, you may want to seek out a security-savvy IT firm to tackle that first. Immediately after or in parallel with that – do a risk assessment and prioritize based on the outcome. There are a number of tools and techniques available to develop an approach for an IT risk assessment that harmonizes with the culture of your business. The deliverable is a prioritized list of items where your business has gaps Vs the framework used to benchmark your risks. Now at least you know where to start.
Recently I gave a presentation to one of our business lines on security and privacy, and I told them that if I could have anything with regard to security, I’d get a “Beware” key added to their computer keyboards that they could hit every 15 minutes or so to flood them with all the awareness they need to stay safe. Of course and sadly, no such key exists.
Fair enough – then what about making sure that people don’t cause the problem? If over 95% of security incidents are caused by human error, might that not rank fairly high on the “highest risk” items in your risk assessment? If so, what are the basic steps to reducing that “human factor” risk? (Note – a good risk assessment will typically have a human factor thread woven throughout the controls benchmarked in the assessment.)
Next, do you have a formal Security Awareness Program, that includes the aforementioned Security Policy at its core and expands to:
- Appointing a Chief Information Security Officer (CISO) even if they wear other hats
- Assembling a team led by the CISO that focuses on security
- Web based security training from a strong security training vendor
- Periodic newsletters about current data security trends and techniques to stay safe
The security awareness program is best created and delivered with the overall culture of the organization in mind. It might include just the items on the list above, or it might include posters, formal classroom training, notices, bulletins and phishing tests.