In this chapter, we cover steps that an organisation can take to ensure that users are better prepared to make use of cyberspace, and to understand not only the issues they may encounter in doing so, but also their responsibilities to the organisation itself.
For the most part, one of the greatest security liabilities in any organisation is the user. They may not act deliberately, but often they will unintentionally perform acts of cyber vandalism that will cause untold problems for the IT and security support staff. Their actions (or inactions) may be that they behave inappropriately and release information or allow information to be released, but this may often be due to the fact that they have not been properly trained by the organisation to react appropriately to information security events.
Some – but not all – of this can be corrected by educating and training the users in good security practice, making them aware of the risks that they will face when using both their own and the organisation’s systems.
The ‘not all’ referred to above covers two different aspects of human behaviour – first, when the user simply forgets or ignores their training, and second, when they are carrying out some act in a very deliberate manner, either to cause loss of the organisation’s information (selling it to a competitor for example) or to cause damage or loss as an act of revenge.
However, making users aware of the threats, vulnerabilities and impacts that they may face is an essential precursor to training.
There is little that the organisation can do to ensure that users never make a mistake, although as a means of reducing the likelihood, one organisation in which the author worked levied a small financial fine on staff who left their computer unattended or left sensitive documents on their desk.
Preventing or reducing the likelihood of information theft or damage to systems and information can be achieved to a certain extent by implementing very strict access control mechanisms and introducing monitoring software that looks for anomalies in user behaviour and flags up an early warning if something out of character is detected. Banks and credit card companies adopt a similar approach as a means of early detection of fraud and will often contact a customer immediately if they appear to be making purchases that do not match previous spending patterns.
Although it may appear obvious, it is worth stating that awareness and training are two different but inter-related concepts. Awareness provides users with the information they need in order to avoid making mistakes, while training equips them with the skills they require to deal effectively with challenging situations when they arise.
This chapter focuses mainly on changing people’s behaviour, so that instances of people-related cyber-attacks can be reduced.
AWARENESS
Awareness of cyber security issues permits both individuals and an organisation’s users to act as a first – or indeed a last – line of defence in combating cyber-attacks. It is never a one-off activity and should be considered to be an integral part of personal development, while remaining a rather less formal activity than training.
An awareness programme allows people to understand the threats they face whenever they use a computer; the techniques used by social engineers to achieve their goals; the vulnerabilities faced by them or by their organisation; and finally the potential impacts of their actions or inactions.
This doesn’t imply that it is necessary to turn everybody into cyber security experts, but that a basic level of understanding is required, similar to that in driving a car – we need to know how to operate the vehicle, the rules of the road and the dangers we face, but we do not need to understand how the engine management system works. At a fundamental level, you should always lock your computer screen when leaving it unattended, remove any printed material that is in any way sensitive, and lock your desk.
As with any process, there are a number of discrete steps in an awareness programme:
Like many other aspects of working life, awareness is a journey, not a destination, since new people will join the organisation and need to be included in the programme, and new threats and vulnerabilities will arise.
The campaign should also focus on continuous reinforcement though such things as poster campaigns and pop-ups when people access the internet or log on.
The general trend of user engagement in the programme should be along the lines of:
Ways of overcoming obstacles to awareness programmes
It is easy to assume that once an awareness programme is underway all will go to plan, and organisations will only need to react and respond to problems when they arise. However, if forewarned about some of the possible issues, organisations should have a contingency plan in place so that faster reaction is possible.
Some of the issues that organisations may face include:
Programme planning and design
The process commences with the establishment of a small team who will develop and run the programme. Some of them will naturally have a degree of expertise in information security, while others may represent those parts of the organisation that might suffer serious impacts in the event of a cyber-attack. It may also be beneficial to involve the internal audit function, who may be able to offer constructive advice, since a programme such as this may well be audited at a later stage, and from personal experience I can attest that it’s always good to have audit on your side.
The team’s initial task will be to define the exact goals and objectives of the programme, and this will include whether the target audience is to be the whole organisation or just a small part as a pilot project. This latter option may be a much more beneficial approach, since it should be able to achieve its objectives on a small and therefore less costly scale before the programme is widened to include everyone.
In the initial part of the programme, the target audience might also be limited to one particular type of user, such as:
Alternatively, the organisation may decide to target a cross section of users from different groups so that the overall organisational benefits can be seen, rather than solely those for a particular community.
Some topics will have greater relevance to particular target groups, such as the issues of social engineering, which may possibly be more relevant to staff who have regular contact with customers and suppliers than to those who do not. This does not imply that those who do not have as much external contact should not be included in that aspect of awareness, but that they might gain less from it.
Next in the development of the programme, the team must clearly identify the topics that will be covered. It is pointless trying to cover all aspects of cyber awareness, since this will simply overwhelm the audience; instead, the programme should focus initially on a very tightly defined subset such as usernames and passwords, spam email or social engineering. The campaign can be widened at a later stage once the results of the earlier work have been examined and the techniques used have been refined where appropriate.
The methods of communicating the message to the user community will vary considerably, and may well consist of some or all of the following:
Once this part of the work is complete, the team may well have to approach the senior management team or board of directors to obtain funding approval, since it is unrealistic to expect that the work can be undertaken at no cost.
As with all business cases, the approach should focus on the likely impacts that will occur if the work does not proceed, as well as the benefits that will accrue when it does. This is another reason for keeping the initial part of the campaign to a reduced volume of information, since the costs will be lower, and the board should find it easier to give approval. Success at this early stage will then make it much easier to obtain board approval for further expenditure when the campaign moves on to cover more aspects of cyber security awareness.
The costs can be more easily identified if they are broken down into manageable areas, for example:
Some of these will be one-off costs, while others will be recurring, and the board will expect that these will be clearly identified.
It should also be possible to attempt to quantify the potential impacts, since the directors of organisations will need to be certain that the programme will deliver value for money and will wish to understand the consequences of not undertaking the exercise.
Potential impacts can include not only the direct financial losses anticipated if a particular incident occurs, such as the loss of sales revenue and the expenditure that would be incurred in responding to and recovering from the incident, but also the indirect losses such as share value, brand and the organisation’s reputation, although these can be rather more subjective in nature, but still require consideration.
Delivery and management of the programme
Although we have called this an awareness campaign, it actually goes further than this, because awareness is only the first stage in which the target audience is made aware of what they should know and when they are likely to need the information. This may be delivered in a variety of ways, for example by printed material, email, electronic newsletters and intranet portals for those organisations having more sophisticated resources.
The campaign then moves up a level so that the target audience gains an understanding of why they need to be involved and how best they can participate. This may include raising awareness topics at team meetings and delivering specific presentations on the subject matter.
Evaluation and modification of the programme
Finally, the campaign is ready to see results from the earlier work and to evaluate its effectiveness, and as the campaign develops and widens its scope, the organisation will expect to see the benefits in reduced instances of successful cyber-attacks and fewer negative impacts on the organisation’s information and systems.
The team must ensure that the entire exercise has been carefully documented, and that they can demonstrate the resulting benefits at the end of the pilot project so that more of the organisation and additional areas of cyber security awareness can be addressed.
Once presented back to the board, success should breed success, and the team should be better placed to move on to raising awareness for the wider organisation or in more topic areas. The board presentation should focus on both the financial and non-financial benefits, and the value to the business itself and also to its external stakeholders, including suppliers and customers and the sector regulator if applicable. It should be completely honest about both the overall costs and the potential impacts of not progressing with a full rollout.
Once the board have given their commitment for this, the pilot user group should be given acknowledgement for their involvement, as this will not only reinforce the importance of the programme but will encourage others to become actively involved.
TRAINING
As mentioned earlier in this chapter, awareness and training are two entirely different, but interconnected, concepts. While awareness places cyber security issues firmly in the minds of the user community in an organisation, training will deliver very specific and often highly targeted information to those individuals or groups who have a specific requirement for it.
Training, and especially highly technical training, can be costly, but as with awareness it has a direct payback in terms of reducing the number of incidents and the potential financial impact on the organisation.
Cyber security training falls into two distinct categories:
Appendix D lists a number of sources of cyber security training and suggests appropriate topics.
A few final points to consider
In the case of product or technology-specific training, it should be considered that technology changes at an alarming rate, and the need for updated courses will undoubtedly become necessary as time progresses. The requirement for ongoing budget allocations for this should be factored into the cost estimates when preparing business cases.
One method of reducing training costs is by identifying those staff who already possess training skills, and who can pass on their knowledge to others. This ‘train the trainer’ approach can work well when budgets are limited, although it may not be the best solution if the people who are intending to deliver the training are inexperienced in how to train others.
The business cases for both generic and specialised cyber security training will need to be developed and presented on a case-by-case basis and should be presented in a similar manner to those for the awareness programme. However, instead of being focused solely on benefits to the organisation as a whole by targeting all users within the organisation, these business cases should also focus on benefits to the organisation by addressing the specific training needs of individual specialists and the general areas in which they will benefit the organisation.