- Security TWENTY
- Women in Security Awards
As part of European Cyber Security Awareness Month (ECSM), Lance Spitzner, Director of the education group SANS Institute suggests that human resource departments have a part to play in helping their organisations improve information security procedures. Spitzner says: “Organisations are beginning to realise that they have to secure the human element as technology can only go so far.”
ECSM is a European Union campaign in October. ECSM aims to promote cyber security among citizens, to change their perception of cyber-threats and provide up to date security information.
“As long as people store, process or transfer information, they too must be secured. One of the most effective ways to secure employees is to change their behaviours through an active, long term security awareness program,” adds Spitzner who has spoken to and worked with the NSA, FIRST, the Pentagon, the FBI Academy, the President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the British CESG.
According to the SANS Director, based on the available evidence, it is likely that every large organisation will experience an information security breach at some time. According to the Data Breach Investigation Report (DBIR) which has examined over 100,000 security breaches over the last decade, 81 per cent of the incidents can be described by four causes: namely miscellaneous errors (27 per cent), insider misuse (19 per cent), crimeware (19 per cent) and physical theft/loss (16 per cent).
The biggest factor “miscellaneous errors” is, according to the report, simply any mistake that compromises security. The main threat comes from human error, such as accidentally posting private data to a public site, sending information to the wrong recipients, or failing to dispose of documents or assets securely. However, lack of security awareness also has a part to play in insider misuse, physical theft and lost incidents.
Spitzner says“In the past organisations have had security awareness programs, but these were compliance driven programmes designed by auditors to ensure their organisation could ‘check the box’. These programs consisted of nothing more than a once year Power Point presentation or some very basic Computer Based Training (CBT). In recent years, organisations have begun a fundamental shift on how they approach awareness and training. They are building mature security awareness programs that identify and change high-risk human behaviours.”
Spitzner advocates the first task is gaining support of management and answering the key questions of Who?, What? and How? “Once you have a program rolled out you will need the ability to measure it. Measuring provides several things. First it helps you identify where your greatest risks are and where you need to focus your efforts. Second, it can be used to demonstrate the value of the program to senior management, gaining you the support you need to keep the program long term,” he adds.
Spitzner is running a webinar on security awareness. The session covers how to leverage the Security Awareness Maturity Model, how to engage people, and how to measure change in behaviour and communicate those results to management. Registration is available via https://www.sans.org/webcasts/securing-human-emea-generation-awareness-programs-98857
Details regarding SANS training course, “Building High Impact Security Awareness Programs”: www.sans.org/mgt433.