Back Ground
I just saw some thought provoking results from an IT Security Professional survey of 250 IT security professionals attending a recent RSA conference. Some of the interesting highlights were:
“73.3% of respondents would not bet $100 of their own money that their company won’t suffer a data breach in the next six months”,
“81.4% of IT security staff think that staff tend to ignore the rules that IT department put in place”
“75.8% of IT personnel think that employees in their organization have access to information that they don’t necessarily need to perform their jobs”,
“38.3% of IT security personnel have witnessed a colleague access company information that he or she should not have access to”, and
“54.7% of those respondents did not report their colleagues who accessed that information”.
One of the common threads I see in the survey results is that all the data is related to people issues. There is not a technical issue in the entire set of responses. I should not be surprised as most security professionals agree that the weakest security link is the human. We can have the best security tools, formulate the best security policies, communicate the policies effectively, and even measure policy compliance, but we will have always have someone who either does not get the message or does not want to comply. Of course there are also other motivations.
It reminds me of the one of the rude awakenings I had when I was first working on automating physician offices in the early 1980’s. Many of the installations went very smoothly, but there were some where there was great opposition by the office staff to the computer. At first I thought it was a general fear of a new and not understood technology. However, I later came to understand that it was something else. All of the offices being automated were taking cash payment for services using only a multiple line carbon -copy ledger book. There was little or no tracking and correlation of the cash to the service . I later found out to my surprise that in some of the offices with the high staff opposition, cash had been disappearing. The tracking and billing controls in the new medical office computer system were a major threat to certain people because it put an end to the unaccounted cash leakage.
I am not implying that we should take the low road and assume that the survey statistics are an indicator of the size of the insider threat. However we should also realize that there may indeed be a component of that present. policy enforcement also comes into play. Not everyone likes confrontation, and seeing someone do something they should not do and confronting them may not be the desired response in all situations. On the other hand ignoring violations does not help the security situation. Having formal procedures for handling security policy violation is the right approach as it helps us avoid human resource issues as well.
What To Do?
I think that the high percentage of IT security professionals not willing to bet $100 of their own money may be a reflection of the respondents awareness of increased and continually changing cyber threats. These professionals also probably have an expected increase in paranoia as they are the ones who keep abreast of the new threats in the cyber security field. IT security professionals know and understand the threats and we all know that no product or system can be guaranteed to be completely secure. Attacks are growing tremendously every year with new attack vectors competing with new and broader needs to share data. In addition, each year there are new devices and technologies which bring new challenges for legacy systems and cyber security mechanisms.
As for compliance with the rules, having the right policies, and enforcing policies is also a challenge. I do not think we want an Orwellian world where big brother is watching all the time, yet monitoring is a critical element for getting compliance. There are more and more tools to help us monitor our networks, the data being accessed, and data being transferred and we should use these tools. Most of the major cases of Advanced Persistent Threat (ATP) have only been discovered when unusual or large volume export of data from a company was discovered and investigated.
I believe that the one area needing attention is how we work with our employees. If employees buy-in to policies and rules, they will also self-enforce them. Spending time to communicate not only what the policies and rules are but why they are important is a step in the right direction. In some sense this is taking the high road. I like the philosophy expressed in Stephen M R. Covey’s book “The Speed of Trust”. He says that trust should not just be automatically given it must be earned. However when trust exists in an organization, it can speed up many aspects of our businesses. In high-trust organizations people are candid and authentic and there is a high degree of accountability. Mistakes are tolerated and encouraged as a way of learning and information is shared openly. I know the ideas expressed in his book are more on the psychology of trust and what it implies but it provides a good set of steps for how to establish better trust if we need to do that. Getting to the point where our organizations are high-trust organizations provides some really good benefits. Covey also provides many examples of behavior in a low-trust organization which I think are also applicable factors for failure in cyber security.