A Human Intervention
The human element is key to stemming the flow of new viruses, worms, phishing and pharming
- By Brian McCarthy
- Jun 01, 2006
THE landscape of information security continues to be dynamic. New threats emerge daily in the forms of new viruses, worms, phishing, pharming, social engineering and identity theft. The threats extend to recent and emerging technologies, as well as VoIP networks and WiFi hot spots create the potential for increased vulnerabilities and new avenues of attack.
Recent research commissioned by the Computing Technology Industry Association (CompTIA) indicates about 40 percent of organizations have been victims of at least one information security attack in the last year. Virus and worm attacks were the most commonly mentioned security problem followed by lack of user awareness, browser-based attacks and remote access.
To counter these threats, a sophisticated security infrastructure has emerged over the past several years. This infrastructure, ever more capable and pervasive, is able to detect attacks that may have gone unnoticed for long periods in the past. The elements of this infrastructure are well known to security professionals. The CompTIA study found that anti-virus software is nearly universal (96-percent penetration) and the vast majority of organizations use firewalls and proxy servers (91 percent). Disaster recovery plans, intrusion detection systems and written information security policies also are popular measures.
Many seem to believe that these fully automated solutions are able to turn back nearly all attacks. This may lead organizations into a sense of complacency about information security -- complacency that, unless countered, could leave significant vulnerabilities open to the twisted innovation that hackers are so rightfully notorious for.
In fact, this complacency appears to be keeping many organizations from addressing the single biggest threat to their information security and technology infrastructure -- the person behind the PC.
Human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year, according to the fourth-annual CompTIA study on information security and the workforce. That figure is significantly higher than one year ago when 47 percent of security breaches were blamed on human error.
Yet despite the prominent role that human behavior plays in information security breaches, just 29 percent of the 574 organizations that participated in the survey said that security training is a requirement at their company. Only 36 percent of organizations offer end-user security awareness training.
The fact remains that for technology solutions to be truly effective, they must be accompanied by training and mass awareness of information security issues in the workplace. Furthermore, this education must be pervasive throughout the organization -- from the boardroom to the mailroom -- to be truly effective.
Ironically, the lack of strategic vision on the importance of education and training is most acutely felt at the highest levels of the corporate hierarchy. Executives often have the least training into security-related issues and problems that their companies encounter. As a result, they often underestimate the impact that security breaches have on their organizations.
Security administrators and director-level managers who have a greater degree of insight into the day-to-day impact of these issues often lack the analytical tools needed to monetize the security issues they face and to fully explain the benefits of cross-platform training and certification to their superiors.
The financial impact of information security issues is vividly illustrated by the dollar values offered by respondents when they were asked to monetize the impact of the last security breach, as well as the impact of breaches over the last 12 months. The most common response for both of these issues was that there was no monetary impact at all. But the mean values were more than $11,000 for the last security breach and just less than $35,000 for breaches over the last year. Some report financial impact more than $50,000 for security breaches, showing that while a "garden variety" breach may be little more than an inconvenience, the potential for serious harm is always present.
Increasing awareness at the executive level is most easily achieved by quantifying problems and creating business cases for solving them. Showing that the financial impact of security breaches can be very significant is one approach to this.
To get to the next level where information security becomes everyone's responsibility, it has to be taken out of the IT arena. It's time for corporations to look at information security not as an IT issue, but as a business issue. Information security is no longer just the CIO's job, it must become the CEO's job, too. Information security awareness and action needs to be institutionalized at the highest level of the organization. If it's seen as a corporate issue it would be seen as a higher priority. But today, there is a clear disconnect between talking the security talk and walking the security walk.
Nature of Attacks: Targets and Response Strategies
Two distinct groups emerged in the CompTIA study as reporting the most severe security breaches: organizations with 7,000 or more employees and educational institutions. The former group seems to be cognizant of the kind of impact that these attacks can have. Among other measures, they are more likely to have a written information security policy than other organizations. Additionally, this group is more likely than others to have some degree of penetration for security training generally.
Educational institutions, however, seems to be at least collectively more lax about the problem. They are less likely than others to have a written information security policy and much less likely than others to have some security training penetration. More than half of respondents from the education sector indicated that none of their employees have been trained regarding security issues.
Just 29 percent of all those surveyed -- 574 organizations -- indicated that training is a requirement at their company. Respondents are more likely to have a dedicated security administrator (57 percent) than to require this training.
While localizing the responsibility for information security may make sense in the context of the tactical threat response, considering that the bulk of security problems are due to end-user gaffes, centralizing knowledge in this way seems myopic.
End-user security awareness training, as distinct from specialized security training and certification, is obviously an important part of the security continuum, but it still has not been implemented by a majority of organizations. Currently, just 36 percent of those surveyed indicate that their organization has this kind of training in place. While 29 percent indicated that their organization will implement it at some point in the future, 35 percent of organizations said they have no plans to do so. When organizations that do not have plans to implement this kind of training were asked why, the most frequent responses were that it is not a departmental or business priority for them at this time or that there is no top management support for this kind of initiative.
End-user security awareness training is typically mandatory for all employees and end users and covers e-mail use and security along with password protection and Internet security/browser use areas. It also is usually just a cursory training -- 11 percent of organizations said that it runs for less than half an hour, while 36 percent indicated it runs between 30 and 60 minutes. The median cost for this kind of training, where it exists, is $5,000, which also is the median stated ROI for it, as well.
|
Worried About Web Attacks?
As technology evolves and consumers become more tech savvy, it's important to be informed on the different threats out there that may target your network or even your personal identity. Here is a list of Web sites that may be helpful in keeping informed on the latest Internet threats.
CompTIA is an association that represents the international technology community. Its goal is to provide a unified voice, global advocacy and leadership, and to advance industry growth through standards, professional competence, education and business solutions. Its Web site offers news and information on the hottest issues affecting IT security. Visit www.comptia.org.
The Center for Internet Security is a non-profit enterprise whose mission is to help organizations reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls. Its Web site offers industry best practices and a link to studies and white papers that cover a number of IT security-related issues. Visit www.cisecurity.org.
CERT, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University, studies Internet security vulnerabilities, researches long-term changes in networked systems, and develops information and training to help improve security. Visit www.cert.org.
SANS offers information security training and certification. It also develops, maintains and makes available at no cost, a large collection of research documents about various aspects of information security, and it operates the Internet's early warning system -- Internet Storm Center. Currently, its Web site offers the top 20 most-critical Internet security vulnerabilities. Visit www.sans.org. |
Despite that, there is a widespread recognition -- 84 percent of respondents -- that end-user security awareness training has resulted in a reduced number of major security breaches since implementation.
Still, there are limitations. The small amounts of time and money invested in this kind of training telegraphs to end users that security is not an organizational priority. Greater awareness levels of the real benefits of this training and risks associated with not having it are needed at the higher end of the corporate hierarchy to overcome this.
Organizational spending on information security solutions, whether products or training, has remained fairly consistent over the years of this study. Though there is still a substantial portion of those who indicate that their organization spends nothing on computer security (10 percent), spending levels are at 5 percent of the total technology budget at just under 40 percent of organizations.
It continues to be the case that companies generating smaller revenue will have a greater challenge rationalizing the security investment needed over other priorities they currently face.
With the abundance of technological solutions available in today?s market to address security concerns, there is a temptation to rely solely on them to ensure security. Anti-virus software and firewalls may seem sufficient until a security failure that equates to a massive financial loss occurs. For larger, revenue-generating companies, the financial links are clearer, but need to be better exposed among the non-investor minority. There are still a significant amount of companies and organizations that have not recognized the massive potential for loss due to a security failure. The benefits of security awareness and training are still largely intangible to these groups.
Consistent with the results found last year, more than eight in 10 respondents (81 percent) indicate that that security training has improved their security -- usually through increased awareness, giving staff the tools to better identify security risks, improve security measures and improve the response time of staff to problems.
Convergence of IT and Physical Security
Another growing trend is the convergence of physical security and information security. This convergence is essential today because, with the rise in the number and virulence of threats, neither one is effective without the other.
An organization used to be able to secure its data by securing its building. Two forms of dissimilar identification were typically sufficient to meet security requirements. For example: "Are you allowed in the building?" and "Do you have access to a keyboard?"
But as remote computing grew, "Where are you?" became less important from a security perspective and "Who are you?" and "What do you know?" became more important.
Today, information security and physical security are reliant on each other for backup. A good security program employs a series of checks and balances. There is never just one person or one department that holds all the power.
To be truly effective in preventing and combating security threats, organizations need to take further steps by spreading security awareness and knowledge from a select group of IT staff to larger portions of their employee base. Decisionmakers and executive level staff must become better informed about the real costs of security breaches and the real ROI available with both security training and certification. The best security technology in the world won?t work without appropriate human intervention, the skills of implementers and the vision of managers to properly deploy and apply it.