The following article was contributed to OUT-LAW by Peter Wood, Chief of Operations at First Base Technologies and a member of the ISACA conference committee.
Getting buy-in for 'soft' security measures such as staff awareness training has always been a battle. Even in the more security-aware sectors, such as banking and finance, budget has often been difficult to obtain for anything beyond traditional IT security 'silver bullets' – firewalls, intrusion detection systems and similar technologies. In the retail sector it’s been all but impossible.
This year, however, we’ve seen a real change. Retail giants have assigned significant amounts of money and effort into areas they’ve often neglected in the past. Now web application security tests are being conducted every time there’s a change to a web site, encryption is being introduced for sensitive data both in transit and on disks and, most significantly, staff awareness is on the agenda at last.
What’s caused this turnabout in attitude? The primary reason is the Payment Card Industry Data Security Standard (PCI DSS).
Cynics claim that the prospect of credit card companies and payment processors actually refusing to deal with firms that don’t conform to PCI DSS is unlikely. My experience is that some of the largest organisations are taking the PCI DSS requirement very seriously. They are investing heavily in compliance and running projects to improve all aspects of their card handling systems, including programmes for staff awareness of security issues.
One of the key objectives is to dispel the myth that security is a hindrance to 'business as usual' and that in fact it is a critical component for doing business in the 21st century.
Educating IT staff about the roles and responsibilities of the security team, their methodologies and approach, is essential in creating an appreciation of just how wide-reaching and comprehensive information security is.
Many IT staff see security as being exclusively about confidentiality and the threats from external attacks. As security professionals know, information integrity and availability are just as important and require as much effort and investment as confidentiality. They also know that threats more commonly arise from human error and from inside the organisation rather than outside.
Linking together topics as diverse as insecure system configuration, unencrypted laptops and poor physical security provides a broader understanding of security in day-to-day activities for all staff.
Focusing on topics like social engineering, passwords and encryption give staff the opportunity to understand where real security breaches occur and what they can do to help reduce the risk to their employer and to themselves.
Educating employees about the risks they run when using computers at home provides the perfect vehicle to promote good security practice at work. If someone realises how an insecure home wireless network coupled with poor passwords can lead to identity theft, they’re more likely to transfer this awareness to the workplace.
If they learn how missing Windows patches and out-of-date anti-virus software can lead to their home PC becoming part of a botnet, they’re going to be much more vigilant with their company laptop. And hearing real examples of social engineering attacks, from phishing e-mails to fake BT engineers, gives them the skills to defend themselves in both their personal and professional lives.
Perhaps the commercial weight of the credit card companies can begin to achieve something that security professionals have been unable to alone – a serious investment in good security practice instead of simply buying the latest gadgets.
First Base Technologies is exhibiting at Infosecurity Europe 2009, held on 28th – 30th April at Earl’s Court, London.
