Article:

Building a Security Culture – Am I Bovvered?

29 June 2017

Nobody wants to have to tell the board, stakeholders and their customers that there has been a security breach which has resulted in data being leaked. The consequences are far reaching; fines from regulatory bodies, legal action, reputational damage, and loss of revenues. Failing to manage IT security (InfoSec) can have a devastating impact upon the business, and unfortunately attacks from unscrupulous hackers are becoming increasingly sophisticated and divisive. This makes it increasingly difficult, expensive and time consuming to defend against.

The burning question is, how do we protect the IT infrastructure and data from attack? The most important factor in building a security culture within your company is leadership. Your staff must believe that the board takes security seriously. This must be demonstrated both verbally, by repeating the security message; but also physically by allocating sufficient budget to protect your assets.

Remember, there is no monetary return on investing in InfoSec. You are protecting against things that you hope will never happen. When deciding how much to should invest in InfoSec you need to consider the Annualised Loss Expectancy (ALE) however, this is a topic for another day. At a high level you should be considering:

  • Applying security updates to software and hardware
  • Replacing end of life technology with software/hardware under support
  • Implementing a clear governance structure – policies, processes, procedures
  • Instructing an independent penetration test and threat analysis to identify weak points
  • Nurturing a security culture and employee training

We are going to focus here on how to achieve a security culture. To develop a security culture within your organisation you need to encourage employees to respect standards towards security. Most security breaches are caused by employees; they are the most variable element in your organisation. In fact, according to a survey in 2015 by CompTIA, employee error accounts for 52 percent of security breaches, with technology accounting for the other 48%.

Before we discuss what you can do to build a security culture, let us have a quick look at what employees do to let the hackers in:

  • Losing their laptops, mobiles, tablets
  • Using their devices in public places where they can be overseen
  • Sharing passwords or using the same password forever and for everything
  • Leaving their devices unlocked
  • Clicking on email attachments they weren’t expecting
  • Downloading files/software without permission from IT
  • Falling prey to social engineering; such as phishing
  • IT colleagues not implementing available security patches

As you can see, there are a multitude of ways in which employees can provide the gap for hackers to get through. What will not work is asking an employee to read a big security policy on their first day at work and then punishing them if they trip up later down the line. The key to success is encouraging and nurturing a Security Culture which is sustainable. First of all we are going to go through some of the proactive things which can be done to make it less likely for employees to go wrong. In essence you are removing a level of control from the employees. These are practical interventions that you can consider implementing:

  1. Privilege

Manage access privileges that users have to the IT infrastructure. All users should only have the privileges required to do their job, and no more. This is a concept known as ‘least privilege.’ Start off by giving them a basic build and additional privileges should be requested and be approved by more senior management.

  1. Password control

Put controls in places that ensure user passwords are complex/strong, and that they have to change them regularly.

  1. Inactivity

Ensure that all devices lock after a fairly short period of non-use and require a password to unlock them. A small number of failed password attempts should result in a complete lock-out that only an IT administrator can override, once the user has verified their identity.

  1. Anti-virus and spam software

Implement reputable anti-virus and email spam software, and keep them up to date.

When talking about culture it can feel incredibly intangible and almost impossible to quantify. However, the practical interventions are your first step to providing the right foundation to build a Security Culture. From there you should be:

  • Develop an InfoSec Policy. This should be cascaded down through the business by the way of “User Awareness Training”. This will ensure that IT users are made fully aware of the threats they may be exposed too and how to respond to them. This should be carried out for all new staff and repeated for the entire workforce annually.
  • Sending regular email updates to colleagues to make them aware of any particular threats they should be aware of, such as social engineering, or spam that has been received by a colleague.
  • Reward employees for exhibiting good behaviours and circulate that news to the rest of the organisation. An example might be an employee who identifies and blocks a phishing attempt, and makes a full report internally.
  • Ensure that employees understand that they each have a responsibility for InfoSec, whether that be from maintaining a clear desk, to locking their device, to not leaving their laptop in the pub after a few drinks.

In summary, I know that this is one particular area of IT that keeps people awake at night and it is sufficiently complex that many organisations do decide to seek external help. You cannot afford to be complacent about InfoSec, and you certainly do not want to end up in the press for the wrong reasons.

The BDO Technology Advisory Services team has helped numerous businesses in the mid-market with their IT Security. If you would like further information on how we could help your business please call Gavin Davis on 0118 925 4400 or email gavin.davis@bdo.co.uk.