More than 90 years ago, Henry Ford famously commented that “most people spend more time and energy going around problems than trying to solve them.” And not a lot has changed since then. Take IT security for example.
Year after year, CIOs rank their own employees as their number-one security challenge, and year after year they collectively spend billions of dollars on the latest and greatest security products in a vain attempt to restrict behaviour instead of getting to the root cause of the human error that concerns them so much.
This paradox between the top security challenge and actual security spending is certainly curious. You’d hope that, over time, if there was a focus on reducing the source of concern, it would eventually move down the list of challenges. All too often, though, people are not considered part of the solution, just part of the problem. The bottom line is that low security awareness among employees is considered the greatest inhibitor to security, yet resources are continually spent on trying to take people out of the equation rather than on trying to address the underlying issues.
This reliance on products over processes will have to change at some point. IT security budgets have increased considerably over the years in an attempt to stem the tide of successful attacks. However, when faced with adversaries that are well financed and keenly focused, organisations will never have enough funds to buy all the technology they require, and the emergence of cloud, mobility, and social media has made it almost impossible to plug security gaps with technology anyway. IT security chiefs must stop looking at technology solutions only and instead adopt a new security model — one that incorporates people and policy into the IT security mix.
The resistance to this stems from the fact that people are the prime target of the attackers, because the attackers know that the easiest way to enter a network is to be invited in rather than relentlessly pounding on the security infrastructure until it cracks. Phishing was created specifically to facilitate this aim, while attackers have also been known to create spoof Web pages with malware that users are directed to via spam or even directly implant malware into websites that they know specific groups of users will visit.
A more recent attack vector geared directly at users is so-called ‘malvertising’, which uses a legitimate Web advertising network as the avenue for feeding malicious content to users. Malvertising is becoming especially acute on mobile networks, and increased connectivity coupled with reduced network perimeter defences makes it much more difficult to stop these efforts.
Simply put, people are being targeted now more than ever because of mobility and social networking. As such, the desire to shut out the human element wherever possible is, to some degree, an understandable reaction. But it is ultimately futile.
The network perimeter gateway was previously the primary protection point, but with the exception of the datacenter, the network perimeter is becoming nonexistent with the rise in mobile computing, the use of cloud-based services, and the expanding number of users. IT security has long consisted of layers of different security technologies — firewalls, antivirus (endpoint, messaging, and Web based), intrusion detection, authentication and authorisation, encryption, email protection, URL filtering, vulnerability assessment, and security event correlation, as well as dozens of other technologies. But even with all of this in place, attackers continue to penetrate the defences.
Exacerbating the problem is the fact that IT teams no longer have the control over IT resources that they once enjoyed, while another common complaint is that the mix of security skills on hand can’t possibly meet the complex security needs of the day. This is why it is imperative for organisations to increase the security awareness and capabilities of their users. In this way, they can become a force multiplier, reducing the possibility that they will introduce malware into the organisation or provide an attacker with some other avenue for exploitation.
Successfully integrating people, policies, and processes into the security equation will require enterprises to create a culture of safety and security. This can’t be done just by offering an annual security awareness training course. Instead, security education must consider how people work, what their values are, and what drives their behavioural patterns.
The keywords here are training and education. Training is an event that teaches specific skills and behaviours; education is a long-term effort that lays a foundation of knowledge that provides understanding resulting in intellectual buy-in and changed behaviour. And flush with proper awareness, employees will be intrinsically involved in mitigating future risks.
Security-aware users will never replace dedicated security professionals, but they will be better equipped to adhere to corporate guidelines, communicate knowledgeably with the IT security team, and provide timely feedback on the organisation’s overall security posture. Henry Ford knew almost a century ago that the root causes of any problem had to be tackled head on for true progress to be made, and if enterprises are ever going to regain the initiative from their heavily armed adversaries, it is time they heeded his advice.
The columnist is group vice president and regional managing director for the Middle East, Africa and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC) He can be contacted via Twitter @JyotiIDC.
