Thursday, November 13, 2008

Emloyee education key to successful enterprise security

Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.

In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.

A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and "not taking it seriously".

The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: "You can't trust employees to read memos."

So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. "You need to change the culture of the organisation over several years," says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.

"It's heartbreaking," he laments. "Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away."

Generating this culture of security is an important component of overall security awareness. "There's an awful lot that users need to know - too much," Smith adds. "They're overloaded with information they're not really interested in - it's boring." Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.

Bad awareness education can be even worse than no training at all, Smith suggests. "Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell." Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.

Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. "Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'" Smith says.

Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. "E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with."

Nevertheless, they can work well if you're prepared to invest in them properly. Paul King is a member of Cisco's security programmes organisation, which runs training around the world. As well as an initial induction programme that uses face-to-face training, Cisco uses e-learning systems featuring specially shot videos put together by professional video makers. "We keep them quite short, simple and interesting. There are also questions interspersed throughout, although they're not as hard as an exam."

Cisco has an internal home page with links to take people through to the e-training videos. Using web analytics, the company monitors which employees have been watching videos. "Everyone in the organisation understands that the need for security awareness comes down from John Chambers (Cisco's CEO)." But if employees aren't watching the videos they're supposed to be watching, their line managers will be asked why.

King says the company can also tell how effective training has been through other means. A recent video on "shoulder surfing" emphasised the importance of using privacy screens when working on laptops in public places. A link next to the video took the user to a place where they could buy a screen through their department's budget. "Take-up was huge. Lots of people now have screens on their laptops. That's our measure."

Cisco only produces a few of these videos. For the most part, it provides a constant background of security information to create a secure culture. It uses poster campaigns and newspapers among other things. A recent effort suggested employees should think of themselves as "security champions", trying to keep the company safe.

However, Robin Adams, head of the security division at the Logic Group, cautions against relying on posters. "The feedback I get is that posters work for about a month." Similarly, signs to remind users of good behaviour tend to fade into the background within days.

Although seminars can be expensive and not as effective in the long-term as other methods, they can work well in small companies. Firebrand offers low-level training courses that clear away jargon and acronyms - something that can creep in if security staff put on their own seminars without input from marketing, training or HR departments.

David Cole, academy team leader and senior consultant at risk consultancy DNV, suggests that role-playing works well in workshops and seminars. "There's a danger in infosec training that you end up showing slide after slide," he warns. "But you need to make it fun. You can have training exercises and create a scenario that builds slowly over the day."

May at Integralis uses anecdotes from his forensics career to enliven his sessions. "You get senior people turning up because they hear it's interesting. If you can add a bit of humour, they can enjoy proceedings." He also advocates the use of role-playing: "They have to think for themselves. It's a good way of making it sink in." Nevertheless, although he is in favour of induction courses, he considers a presentation by itself "virtually worthless".

It could be you

Getting employees to pay attention to all these messages usually involves sticks and carrots. Annual exams can test how much has actually sunk in. Strong punishments for people who have knowingly broken security policies can set an example and demonstrate the company is serious about security. But the Logic Group's Adams says that, in his experience, painting a worst-case scenario of what could happen works "amazingly well" when it comes to convincing staff to abide by the policies anyway. "If you explain that credit-card companies might take away their ability to process cards for orders, together with the effect that would have on jobs, people really listen." Explaining what information might be worth to criminals also helps, he adds.

Ultimately, no matter how good security technology becomes, people will always be a weak link. Ignoring this fact is, as Smith suggests, like focusing on brain surgery when the patient is dying of the common cold.


1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.

2. Lock your workstations when left unattended and log off at the end of your working day.

3. Don't share computer passwords except under the most exceptional emergency circumstances.

4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.

5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.

6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.

7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.

8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.

9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.

10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.


Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.

Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. "In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel."

However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. "While we strive to be as strong as can be with physical security, it can all be undone by people," he says.

So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. "We tried a number of things to see how they were received." Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of "water cooler" chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.

To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of "11 commandments" based around the "DOIT" slogans ('protecting documents, office and IT') further added to the message.

"HR and marketing helped come up with the slogans," recalls McLean. "And HR were able to tap training and similar resources." Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. "Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'"

Although Ricoh now has the certification, McLean says the programme will continue. "We're always going to be improving it."


If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.

This usually involves board-level support as well as a "bridging unit" or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.

The HR and legal departments can be useful, as they can ensure that employee contracts include suitable rules about security and IT use, together with appropriate actions in case employees break them. This means that if someone does cause a security breach, the contract, together with the training given to them, significantly reduces the chance of a lawsuit for unfair dismissal being filed against the company. Liaising with HR means security training can be part of the induction programme, avoiding the problem of security being seen as something "other".

Marketing, training and other corporate communications departments have those vital people skills that some IT specialists lack. When creating awareness campaigns, marketing can help to devise the most effective methods of getting the message across. And while IT can certainly provide the information about security that needs to be given to employees, a training or HR department is far more likely to be able to deliver seminars and courses in a way that non-technical people will appreciate.


Tuesday, November 11, 2008

Security survey finds increase in security standards adoption

News Analysis

Ernst & Young's 2008 Global Information Security Survey begs the eternal question, depending on how you look at the numbers: Is the glass half full or half empty?

For example, the survey clearly shows that many companies may be slow to address growing security concerns, such as reliance on third parties -- partners, vendors and contractors. Only 45% of respondents include specific security requirements in all third-party contracts, but an optimist might say this reflects a trend in the right direction. One wonders if the other 55% write language into their more sensitive contracts that involve sharing confidential data or access to key systems.

The 11th annual survey by Ernst & Young (E&Y) polled nearly 1,400 organizations in more than 50 countries with annual revenues ranging from less than $100 million to more than $25 billion, as well as non-profits. Nearly a third of the organizations polled were in the financial services sector and 13% were in manufacturing, the second highest group.

The report comes on the heels of PricewaterhouseCoopers' annual Global State of Information Security Survey.

On a positive note, adoption of international information security standards is clearly trending up. Use of ISO/IEC 27001:2005 was up 15% over 2007 and ISO/IEC 27002:2005 rose 9% over 2007. The E&Y report stated that management standards, such as ISO 9000, have been adopted in certain industries where information security standards are becoming a necessity for doing business.

The survey also found that organizations are overwhelmingly planning to increase or maintain information security spending as a percentage of their total expenditures. The survey was conducted from June 6 to August 1, before the international economic crisis was in full bloom, so the question going forward is: What was the impact on total expenditures? It would be interesting to see the results if the survey was conducted now.

Interestingly, 50% of the respondents said organizational awareness was the most significant challenge to information security initiatives, edging out availability of resources, budget and addressing new threats and vulnerabilities. While the survey didn't specifically address training or awareness programs, only 19% of the respondents said they ran social engineering tests, while Internet and infrastructure testing is also common practice at 85% and 73% respectively.

While E&Y says regulatory compliance has been the leading driver for information security since 2005, it reports that protecting reputation and brand has become a significant driver as well. However, the question asked was not what drives information security initiatives and spending, but rather, what are the perceived consequences of security incidents? What is the "level of significance if information is lost, compromised or unavailable" Eighty-five percent of respondents said damage to reputation and brand was "significant" or "very significant," followed closely by loss of stakeholder confidence, loss of revenue, regulatory action and legal action.

Though the report cites compliance as a driver for raising security awareness and improvements, there's room for healthy skepticism about how much companies would do if they weren't compelled. Every car should have seatbelts, but how many had them before they were mandated?

Other key findings:

# Business continuity is an IT responsibility in 41% of the organizations, compared to 20% in risk management and 11% in information security. It would be interesting to see if this is trending toward or away from IT.

# Most organizations are unwilling to outsource key information security activities. This is somewhat interpretive. While two-thirds to three-quarters of the respondents are keeping things like vulnerability and patch management, incident response, DR/BC, security awareness training and e-discovery and forensics in-house, the majority are either outsourcing or planning to outsource security assessments, audits and pen testing.

# Few companies hedge information security risks with cyber insurance. Generally, around 10% of the organizations have some sort of insurance in one or more of eight information security-related areas, such as the cost of incident response or litigation, and few of the others have plans in the next 12 months. About one-third said they don't know, which leaves some potential for growth in the future.


Wednesday, November 5, 2008

Broadridge receives ISO 27001 certification for ProxyPlus

This international certification specifically covers Broadridge's Information Security Management Systems (ISMS) for these flagship products, validating that the associated security policies for these applications have undergone in-depth testing and external audits. The new certification provides better protection and privacy for Broadridge's clients' data by ensuring that there is enhanced tracking and reporting on the company's security initiatives. Broadridge is distinguished among its competitors for its superior information security model and is one of only 77 companies in the United States that are currently ISO 27001 certified; of these companies, less than 10% are in the financial services industry.

Broadridge recognizes that the data processed by Broadridge on behalf of its clients is among its clients' most vital assets as it is confidential information related to their retail and institutional brokerage and investor communications activities. The certification adds yet another layer of security for Broadridge clients as they conduct their integral operations and transactions using key Broadridge applications to process this data. ProxyPlus is Broadridge's enterprise application that supports the core processing functions of Broadridge's proxy services, the company's largest business. Broadridge's BPS platform is one of the most robust securities processing engines in the industry for equities, mutual funds, and options providing real-time interfaces, as well as links to all major United States exchanges. Broadridge's impact solution is an integrated, online fixed-income securities transaction processing system, offering leading global financial institutions the ability to process fixed-income trades from order entry through to customized post-trade reporting. The certification of ProxyPlus, BPS, and impact offers the global banks and broker-dealers as well as corporate issuers and mutual funds whose data is processed using these three applicatiications, the assurance that Broadridge has created and implemented information security practices that are comprehensive and stringent enough to meet ISO standards.

The ISO 27001 Certification is designed to assist corporations with the development of a consistent methodology for implementing information security at the program level, as well as defining key control objectives designed to protect information assets. ISO 27001 is the only auditable international standard which defines the requirements to ensure that sufficient security controls are instituted within the certified organization. Additionally, maintaining the ISO 27001 Certification requires an annual review and three year re-certification. The continual scrutiny of Broadridge's ISMS in this manner provides confidence to clients that their data is protected on an ongoing basis.

"We are proud to have earned this certification and believe it reflects the dedication of our Information Security team to ensure that we have the highest level of controls in place when handling our clients' confidential information," said Mark Schlesinger, Chief Information Officer, Broadridge. "Data security is essential to the survival and stability of any organization and Broadridge's ISO Certification offers our clients a higher level of safeguard and protection for their information assets," Mr. Schlesinger added. To ensure that management is closely tied to ISO 27001 compliance, Broadridge has created a governance program that includes a management committee and has appointed information security champions in departments and divisions throughout the company whose job it is to support ongoing and timely security enhancements. This certification is just the beginning of what is envisioned as a multi-year plan to enhance and expand Broadridge's internal controls and security strategy.


Saturday, November 1, 2008

UK – Paternoster plans to achieve data protection compliance

Paternoster has said it plans to be the first insurer to be certified for the data protection standard ISO 27001 following its Indian operations being passed as ISO 27001-complaint in June this year.

The certification process ensures the company adheres to the tight data security standards demanded by the global standard.