More than 90 years ago, Henry Ford famously commented that “most people spend more time and energy going around problems than
trying to solve them”. And not a lot has changed since then.
Take IT security, for example.
Year after year, CIOs rank their own employees as their number-one security challenge, and year after year they collectively spend billions of dollars on the latest and greatest security products in a vain attempt to restrict behaviour instead of getting to the root cause of the human error that concerns them so much.
This paradox between the top security challenge and actual security spending is certainly curious. You’d hope that, over time, if there was a focus on reducing the source of concern, it would eventually move down the list of challenges. All too often, though, people are not considered part of the solution, just part of the problem.
The bottom line is that low security awareness among employees is considered the greatest inhibitor to security, yet resources are continually spent on trying to take people out of the equation rather than on trying to address the underlying issues.
This reliance on products over processes will have to change at some point. IT security budgets have increased considerably
over the years in an attempt to stem the tide of successful attacks. However, when faced with adversaries that are well
financed and keenly focused, organisations will never have enough funds to buy all the technology they require.
The proliferation of cloud and mobility has made it almost impossible to plug security gaps with technology anyway.
As such, IT security chiefs must stop looking at technology solutions only and instead adopt a new security model — one that
incorporates people and policy into the IT security mix.
The resistance to this stems from the fact that people are the prime target of the attackers, because the attackers know
that the easiest way to enter a network is to be invited in rather than relentlessly pounding on the security infrastructure until it cracks.
Phishing was created specifically to facilitate this aim, while attackers have also been known to create spoof Web pages with malware that users are directed to via spam or even directly implant malware into websites that they know specific groups of users will visit.
Another attack vector aimed directly at users is ransomware. This usually involves an email from a hacker stating that the attachments in the email contain damaging personal information or content that has been acquired unbeknownst to the user.
If the user does not meet the hacker’s demands or pay up the ‘ransom’, their information will be made public. At this point, there’s an overwhelming temptation to open the attachment and check if its content is genuine; once that happens, the user has already fallen victim to a malware infestation.
Simply put, people are being targeted more now with the increased use of online services. As such, the desire to shut out the human element wherever possible is, to some degree, an understandable reaction. But it is ultimately futile.
The network perimeter gateway was previously the primary protection point, but with the exception of the datacenter, the network perimeter is becoming nonexistent with the rise in mobile computing, the use of cloud-based services, and the expanding number of users.
IT security has long consisted of layers of different security technologies — firewalls, antivirus (endpoint, messaging, and Web based), intrusion detection, authentication and authorisation, encryption, email protection, URL filtering, vulnerability assessment, and security event correlation, as well as dozens of other technologies.
But even with all of this in place, attackers continue to penetrate the defences.
Exacerbating the problem is the fact that IT teams no longer have the control over IT resources that they once enjoyed, while another common complaint is that the mix of security skills on hand can’t possibly meet the complex security needs of the day.
This is why it is imperative for organisations to increase the security awareness and capabilities of their users. In this way, they can become a force multiplier, reducing the possibility that they will introduce malware into the organisation or provide an attacker with some other avenue for exploitation.
Successfully integrating people, policies, and processes into the security equation will require enterprises to create a culture
of safety and security. This can’t be done just by offering an annual security awareness training course. Instead, security
education must consider how people work, what their values are, and what drives their behavioural patterns.
The keywords here are training and education. Training is an event that teaches specific skills and behaviors; education is a long-term effort that lays a foundation of knowledge that provides understanding resulting in intellectual buy-in and changed behaviour. And flush with proper awareness, employees will be intrinsically involved in mitigating future risks.
Security-aware users will never replace dedicated security professionals, but they will be better equipped to adhere to corporate guidelines, communicate knowledgeably with the IT security team, and provide timely feedback on the organisation’s overall security posture.
Henry Ford knew almost a century ago that the root causes of any problem had to be tackled head on for true progress to be
made, and if enterprises are ever going to regain the initiative from their heavily armed adversaries, it is time they heeded his advice.
Jyoti Lalchandani is group vice president and regional managing director, Middle East, Turkey and Africa, IDC