“Ah you want the Security Department, this is the Department of Security”
I saw a headline the other day, the basic premise of which was suggesting that IT should take full responsibility for cyber security, removing the onus of it from users, thus allowing creatives to be more, well, creative. To be honest, I didn’t then carry on and read the article, it may have been that once past the obvious clickbait title there could have been some merit to the story, but instead I chose to just get on with my day instead.
But it did get me thinking, here at Risk Crew we try and refrain as much as possible from talking about cyber security, we much prefer talking about Information Security.
Getting fixated on cyber security and on cyber security alone is a very risky path to go down. So, a user vigilantly locks down their system every time they are away from their desk but do they notice the stranger without an ID pass staring at the white boards in one of the meeting rooms?
When a user gives their credentials up in a social engineering attack is this a cyber security breach or an information security breach? If a malicious actor tricks their way into a building and steals a digital device is this a cyber security breach or a physical security breach and does it even matter?
Information Security Awareness is the answer
It’s a problem that goes right to the top, at a recent security expo I was listening to an ex senior government official talk about how in organisations that come under the Critical National Infrastructure (CNI) umbrella there is a disconnect between those that look after physical security and those that look after IT security. Now the definition of a CNI organisation is one, that if disrupted, would have a critical effect on the wellbeing of the nation – so quite important then! Why is the head of Physical Security not firmly partnered with the CISO? If they compared notes, they could improve both departments.
The point of all of this is that we don’t want to be taking the onus of security off the users, be it physical, information or just cyber. Far from it, instead we want our whole workforce to be security aware. Why rely on a team of 3 physical security personnel alone to make sure that imposters aren’t wandering around the office? Why rely on a single Information Security Manager to ensure that phishing emails aren’t being acted upon? Sure, take lead from the professionals but don’t rely on them solely.
You need a culture of Information Security Awareness
By creating a culture of Information Security Awareness in organisations it means that the general population of your company, often sited as being the weakest link in the defence chain instead become the ‘first responders’, alerting the security desk that someone is wandering around with a pass, forwarding on suspicious looking emails to the IT department and not politely holding open the access controlled door to the stranger with the coffee in one hand and the phone in the other.
The downside to this of course, is if enacted too enthusiastically, workplaces that were once friendly, warm and open can become some dystopian dark nightmare – cold and unwelcoming. And who wants to work in a place like that?
Well is doesn’t have to be that way, if you get the message in their heads in the correct manner and very importantly, have processes and procedures in place to back it up you can have an organisation that it still a nice place to work, yet vigilant towards threats to security. This means less chance of a breach, meaning no nasty headlines, fines or investigations – which it turns ensures it remains a nice place to work.
What I’m talking about is not having an employee forcing a door shut on a visitor while simultaneously shouting “YOU SHALL NOT PASS, YOU SHALL NOT PASS!” Instead, it could be a sticky sign up on the wall by an access-controlled door, warning of the dangers of tailgating. When the employee approaches the visitor, they can point to the sign and also refer to their policy:
“I hope you don’t mind but our security policy means I need to check you are authorised to be here”
Or, if the employee doesn’t feel comfortable doing this, they can simply take note of the description and inform their supervisor.
Of course, it would be great to operate in a world where this threat didn’t exist but unfortunately it does. Simply put, stolen data can equal ruined lives and we all need to do what we can to prevent it.