If Jeremy Clarkson were writing this article he would create a skilfully structured analogy, probably involving a car, to highlight the foolishness of some employees when using their computer at work.
Something along the lines of 'Accessing porn, whilst at work, is like having sex in the company car, right there in the company car park, whilst the rest of the staff are in said car park during a fire drill'. Assuming suitable mirth would be forthcoming from the reader he might go on to write, 'Someone that stupid should get a P45 as they are too dim to work for the company'.
Unfortunately the reality in the workplace would not permit such directness in relation to any of the issues surrounding the misuse of IT systems. The problem with information security is that the norms of what people do at home and what they do on the company desktop is blurred.
The reason is that most companies have not tackled the behavioural issues around the problem. We all know its hard work, and, once started it will lead to more work.
One might think that information security is the responsibility of everyone in the organisation and that most employees apply commonsense when using their corporate desktops. Not according to the recent third annual Global Information Security Workforce Study, sponsored by security certification organisation (ISC)2 and carried out by IDC.
According to the report, organisations have ignored the role of human behaviour and have instead placed their trust in hardware and software to solve security problems.
The elephant standing in the room for most organisations is that everyone knows the vast majority of information security failures arise from the foolishness of their own employees. This recent report highlights the fact that a successful information security approach is as much about people and processes as IT products like intrusion detection and firewalls.
In the face of such a complex problem, the role of information security professionals is becoming almost vocational. The reason for this stems from the evolution of the threat to the organisation from outside parties.
Originally denial of service attacks for the resultant recognition from the hacking community was the driver. Today the threat from the outside has become more professional and sinister.
Indeed, rather than mass attacks, the threat today is more focused. It is obvious that the next development in information security threats from outside bodies will be a combination of both mass and focused attacks. The purpose of the mass attack is to mask the focused breach.
The response from government and industry is the development of defined roles for experts in counter measures for information security threats.
This new breed of IT professional realizes that the implementation of an IT security product is a small but important part of the solution to creating a secure IT security environment.
Only through the adoption of an IT security framework such as ISO 17799 and by living a best practice methodology can standards increase to the require levels.
Central to these frameworks and increasingly becoming the requirement from most regulators, is the creation of a culture of IT security.
It is here that IT security professionals have to become evangelistic in communicating with the wider organisation. This constant and long term challenge is present at every level in the organisation.
The key is to get started and not to wait for an information security failure to justify the effort. Begin now and tell colleagues of their responsibilities. Lay out the objectives of the company’s IT security culture and enlist help in keeping the bad guys out.
Throughout 2006, there were numerous high profile cases of major organisations being faced with large scale disciplinary actions with staff as a result of computer misuse. In almost every situation, the communication of company policy was scant and irregular.
There is a burden of trust for IT security management to ensure that employees do not find themselves in a severe disciplinary situation as a result of lack of communication. Regular and consistent communication of IT security norms will dramatically reduce the likeness of this happening. It will also lead to greater security.
Unlike the imaginary car park scene, it is not obvious to a significant slice of your user population what is and what is not suitable behaviour on their company PC
