Dejan Kosutic According to Experian 2015 Second Annual Data Breach Industry Forecast, the largest number of security incidents are happening because of human error and malicious insiders: “… the majority of data breaches originate inside company walls. Employees and negligence are the leading cause of security incidents but remain the least reported issue. According to industry research, this represented 59 percent of security incidents in the last year.” The research also adds that executives are traditionally focused on resolving the security issues by investing in technology, while the people-based breaches receive the least attention.
What does this mean? This means that investing solely in technology is not going to solve the main cause of incidents: employee behavior.
The organizational approach to reduce security incidents
So, how do you approach this problem with employees? ISO 27001, the leading information security standard, offers a less attractive, yet much more effective approach to this problem: (1) strictly defining the security processes, and (2) investing in security training & awareness.
The security experts who developed this standard long ago realized that the technology itself cannot resolve the organizational and the people issues: technology is only a tool; it is only a part of the wider picture. Or, to view this issue from the management theory point of view, the organization is basically a mixture of three essential elements: people, processes, and technology.
Therefore, to resolve the security problems, besides investing in technology, an organization must set the right processes and then manage the people in the proper way. Let’s see how it’s done according to ISO 27001.
Setting the security processes
The first step when setting up the security processes (that is, how the security is organized) is to perform the risk assessment – such an analysis will tell you which potential incidents can happen, and which kind of safeguards are needed to prevent or reduce such incidents. (To learn more about this concept, see this article: The basic logic of ISO 27001: How does information security work?)
For instance, you might identify the risk of losing your data due to inadequate backup – however, it might turn out that you already do have the backup software, but it is not clear who has to configure it (lack of procedure), and/or the employees don’t know how to use it (lack of training).
ISO 27001 suggests 114 safeguards (or controls), which are arranged into these 14 sections:
- Information security policies – controls on how the policies are written and reviewed
- Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
- Human resources security – controls prior to employment, during, and after the employment
- Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling
- Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities
- Cryptography – controls related to encryption and key management
- Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
- Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
- Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
- System acquisition, development and maintenance – controls defining security requirements and security in development and support processes
- Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
- Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
- Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
- Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security
As you’ll notice, a smaller part of these controls are IT-related – most of them are focused on organizational issues, which are resolved by writing various security policies and procedures – for example, Acceptable Use Policy, Classification Policy, BYOD Policy, Access Policy, etc.
See this article to learn how to decide which policies and procedures to write: How to structure the documents for ISO 27001 Annex A controls.
Security training & awareness
The most important rule about training & awareness is that they must be performed in parallel to the implementation of any safeguards (both organizational and technology-based). For instance, if you publish a new Classification Policy without explaining to your employees why it is important and how to classify your documents, such a policy will never take hold in your company; similarly, if you implement new software for tracking incidents, without awareness and training it probably won’t be used too much.
The basic difference between training and awareness is the following: training explains to your employees how to perform a certain activity, while awareness-raising tells them why this is important – both of them have equal importance, and have to be performed in balance.
Here are a couple of training methods you can use:
- Courses – see this article for more information: How to learn about ISO 27001.
- Reading literature – there are many information security books available, as well as magazines.
- Participating in expert forums on the Internet – in some of those you can get very concrete answers to your questions – for example, ISO 27001 security.
- In-house trainings – delivered either by in-house experts, or by hiring consultants, certification bodies, or similar.
For raising awareness, you can use several methods:
- Include employees in documentation development
- Presentations
- Articles on your intranet or newsletter
- Discussions through internal forums
- E-learning
- Videos
- Occasional messages via email or via your intranet
- Gatherings
- Day-to-day in-person communication
For more detailed guidance on these awareness methods, read this article: How to perform training & awareness for ISO 27001 and ISO 22301.
A change in thinking is necessary
It is true that investing in some new and shiny piece of software and/or hardware seems like a much nicer way of resolving security problems, and dealing with processes and people is a much harder thing to do.
But, what we really need is the shift in thinking from “we’ll resolve all the security issues by purchasing technology” to “let’s start thinking about how to use our technology in a secure way” – otherwise, lots of money spent on technology will continue to hit the target only partially, while the incidents will only become larger and larger. And more costly.
See here a series of 25 free security awareness videos that can be easily understood by any employee in your company.
Rhand Leal