Quelle: CSO USA
A COMPUTER PASSWORD is tacked up casually on the cubicle wall. A doorout back is wedged open during a quick cigarette break. A laptop isleft carelessly behind in a taxi ride to the airport. And suddenly itdoesn't matter how good your company's security system is. It has justsuccumbed to human failure.
"I can have all the gadgets in the world," says Chris Apgar, datasecurity and HIPAA compliance officer for Providence Health Plans,"but if people don't understand the basics--like don't send thingsover the Internet, and make sure your files are put away--well, I canspend millions on security, and it won't do any good."
And so it goes with corporate security. People get busy. Ordistracted. Or careless. Or downright malicious. In fact, if there'sone thing about which people in the security field readily agree, it'sthat weaknesses in user practices pose a bigger threat to anorganization's security than any vulnerabilities in technology do.
"The best technology can always be circumvented by an employee," saysGary Morse, president of security consultancy Razorpoint SecurityTechnologies. "You can have the best security policy in the universe,but people just get busy."
Without a doubt, the employee is often the weakest link in thesecurity chain. "People think, It's just data; it's not reallyimportant," says Thomas Luce, former CSO of Rochester Health CareInformation (RHI) Group and now an independent security consultant."They don't understand the damage they could do, especially inhealth-care and financial services companies."
And so a solid recipe for a truly effective security strategy needs toinclude two parts common sense--and a certain amount of changemanagement. "Security is not simply a piece of technology," saysApgar. "It's a culture and a process and a procedure and anindoctrination."
"An organization's technology is only as strong as the people behindit," adds Roger Hughes, president of Data Security Auditors, anindependent auditor. "Systems and processes are built by employees."Which makes it imperative that you work to change the thinking in yourorganization from "Nothing bad will happen here" to "If I share mypassword, this can happen," or "If I leave an area unsecured, that canhappen."
The biggest challenge facing the security industry is knowing how totransform an organization's users from its biggest vulnerability intothe first line of defense. The bad news is that it's not going to beeasy. The good news is that it's not going to be impossible. Here arethree steps to get started.
Step One: Develop a Written Security Policy
Although it may seem like a painfully obvious omission, the truth isthat many companies have no real security policy. And of the policiesthat do make it onto paper, many go the way of screenplays written bystruggling writers--passed around a lot, occasionally asked after butnever really read. "The omission of a formal security training schemeis the norm," says Michael Casper, information security officer atWachovia Bank. "So simply having formal training materials andimplementing them is paramount to the beginning of security educationsuccess."
An effective security policy must first of all be put in writing. Andin doing so, it should clearly spell out every last detail of companypractices, such as how information technology employees shouldidentify themselves when contacting a remote user about a technologyproblem, what types of e-mail are appropriate and how often usersshould reset their passwords. In addition to emphasizing securityinside the building, a security policy should also address the dangersthat lurk outside--including the risks of using laptops on businesstrips or carrying data on PDAs.
"It all boils down to a company having a solid yet understandable datasecurity policy and procedure program," says Data Security Auditors'Hughes. "You know, making sure everybody knows what's OK and what'snot OK."
Just as important as creating a policy, says Razorpoint's Morse, ismaking sure that the policy is uniform across all company locations.An organization that lacks consistency in its policy is vulnerable tosocial engineering attacks, for example, where a hacker can gainaccess to data or passwords by calling an employee and pretending tobe from another location within the company. "In a word, people haveto verify," Morse says. "They have to be able to say, Who is thatperson, and how do I know?"
The tricky part lies in massaging a policy so that it protectsvaluable data while allowing users the flexibility they need to dotheir job. Providence Health Plans' Apgar tells of an incident at hiscompany when, upon discovering that Providence shared some systemswith another health-care company, Providence had to put controls inplace. The problem was the systems had little capability to limitaccess, so Apgar needed to do it without cutting off his own usersfrom information they needed. "Data security got in the way ofitself," he says. "Instead of the security people saying, Maybe weshould look at this and see if we can live with it, they said, Oh, theattorney said to do it, so we'll have to turn it off." After carefulconsideration and some heated discussions, Apgar's group made thedecision to build new controls into the system at minimal cost, whichended up working to everyone's satisfaction. CSOs must first take thetime to understand the business and users' needs before settinglimits.
In addition, Hughes points out, it's critical to look at businesspartners outside your own firewall with whom you might be sharinginformation and address potential vulnerabilities in the securitypolicy. "If you're in manufacturing and you're sharing proprietaryinformation with the vendors helping you build, you might be secure,but how secure are your vendors?" he asks. A solid security policycovers all those bases.
Step Two: Sell the Policy
It's no secret that those who are well suited to create a securitypolicy are not always the most adept at getting its message across."Security professionals don't always make the best communicators,"admits Stacy Bresler, senior information security principal atPacificorp, a subsidiary of ScottishPower. When Bresler and his teamimplemented a new security awareness program for Pacificorp's users, agroup from corporate communications helped prepare the presentationmaterial that was handed out to employees during awareness trainingsessions. "Good experts have a way of understanding and spreading thatunderstanding," he says. In addition, Pacificorp's security team hiredprofessional actors to play out the message in a video. Every employeewas required to either attend a security presentation or watch thevideo.
Security, except to a select few, is about as exciting as watching thegrass grow...in the desert...during a heat wave. "I think you have tobe a certain person to care about security," says Bresler.
Independent security consultant Luce agrees: "Security is a boringtopic to most people. So you have to put stuff in to counter that andget people's attention." His suggestion: Make it fun. When he workedfor RHI, he introduced an in-house security training plan with akick-off party. On occasion, he would also run tests to see who couldcatch potential security breaches. Those who discovered them wererewarded with gift certificates for dinner or points toward a bonusvacation day.
At Providence Health Plans, Apgar strives to take a positive approachto get his users' attention focused on security procedures. "Insteadof saying, You have all this stuff you need to do, we say, We do 80percent of this already, and we just need to do it better." And, heinsists, trust is a key ingredient to a secure organization. "If youtrust people to be honest and professional, 90 percent will be," hesays. "If you expect the opposite, that becomes a self-fulfillingprophecy."
Since security is not top of mind for the typical user, securityexecutives must also emphasize the rules stated in the policyregularly. "It's an educational process, and it's repetitive," saysLuce. This repetition becomes particularly important when thecompany's policies change. "Once everyone is trained, you have to haveeveryone sign off on [the policy] every year," says Hughes. "Give theman updated version, educate them on what the changes are, and havethem sign something saying they agree to comply."
Any method will work--as long as the education takes place. Forexample, a security officer at a large food manufacturer says hisdepartment publishes frequent security bulletins with reminders aboutkeeping passwords safe and cleaning sensitive data off machines. Thecompany then distributes hard copies to everyone because employees aremore likely to read paper than they are to read e-mails, he says. AtProvidence Health Plans, Apgar varies his approach. "We do trainingperiodically," he says. "We keep the lines open, combining a number ofdifferent approaches, from formal training to an informational stop inthe hall. We're taking it a little bit at a time." At Pacificorp,Bresler and his team conduct walk-throughs at individual desktops,performing surprise audits and reminding users of the rules.
Step Three: Enforce the Policy
While a company's security team is ultimately responsible forgenerating security policies, some of the onus for enforcing themshould fall on department managers. In the health-care industry, forexample, Apgar has learned that good security means performing abalancing act between giving people enough information to do their joband keeping privacy intact. One of the keys to that, he says, iskeeping the lines of communication open with department heads so thatif breaches occur, management can play a role in repairing them.
When Apgar learned that users in his organization had broken two ofthe cardinal rules of health-care security--don't fax screen printsfrom claims, and don't use the system to look up your owninformation--he went to the appropriate department managers and helpedthem decide how to educate their staff. Pacificorp's Bresler followsthe same advice. He and his security colleagues expect middlemanagement to accept the bulk of responsibility for enforcing securitypolicies. "In an organization of our size [8,000 users], we're notgoing to micromanage down to the end users," he adds.
Bresler says that managers should also be responsible for enforcingthe rules related to wireless security. "Business managers want theirusers to be productive but don't consider the risks associated withthat," he says. For one thing, Bresler says, it's rare for businessmanagers to communicate to users the dangers of connecting a laptopholding sensitive data to a hotel LAN. "Wireless is convenient, cheapand handy," adds Morse. "Unfortunately people want the quick fix, andthey take it out of the box and they go through the quick start guide.They don't turn on access passwords or the encryption." It's possibleto make wireless devices much more secure, he says, but it involvessome extra work on the part of the users.
Delegating accountability to your users is also key to a securitypolicy's success. If "it will never happen here" takes first place asthe CSO's least favorite sentiment, "a security breach won't reallyaffect me" comes in a close second. "A lot of people don't understandthe implications of what the information could do outside of theirhands," says Luce. Once users comprehend the importance of the datathey safeguard, they should know that failure to comply with securitypolicies could mean a big fat black mark on their record. After all,most users are more interested in their personal interests than thoseof the company. If users know that their personal well-being is atrisk, they will start to think about corporate security in a whole newlight.
"Some companies have updated their packets, and there are wholesections saying, 'You will maintain proper passwords or you'll befired, or liable, or both," says Razorpoint's Morse. Pacificorp'sBresler thinks a "three strikes and you're out" policy is ideal.
To that end, security experts say, it's critical to work closely withthe human resources department. Forging a strong link can buildvaluable and necessary support, says Hughes, and will guaranteefollow-through if breaches occur. "IT and HR must work in concert withthe COO or GM to make sure people understand these policies andprocedures," says Hughes of Data Security Auditors. "Have a luncheonor seminar or a new-employee orientation where the security policy ispart of it. Have employees sign it, and make sure they know they'reaccountable. If they do something that costs the company money, that'sgrounds for termination."
Just as important as preaching accountability is practicing it. Lucenotes that even when companies write such accountability into theirpolicies, a lot of users don't pay attention. Senior management, hesays, is prone to letting offenses slide. He recalls performingsecurity audits at organizations with supposedly zero-tolerancepolicies that looked the other way when security breaches happened byaccident. That, he says, is asking for trouble. "Human nature saysyou'll get away with whatever the minimal amount of work is," saysLuce. "If you don't put something in place to force users to use realpasswords, then they won't."
Scare tactics are a controversial way to guarantee compliance. Luce isan admitted fan of using horror stories when he conducts audits. "I doquite often use scare tactics, usually with a newspaper article abouta lawsuit. That does a really good job on presidents and CEOs," hesays. Apgar of Providence Health Plans also uses such a strategy, butcautions against relying on it too often. "I use horror storiesjudiciously," he says. He worries that too many tales of security gonewrong could turn him into Chicken Little. But he says he's not averseto telling senior management stories that hit close to home, likebreaches that have happened in their own industry.
Bresler adds that he prefers to sanitize the story of something thatactually happened to Pacificorp and make it public. "These things dohappen and have resulted in dismissals," he says. Users who hear "thiscould happen to you" stories are more likely to take security policiesseriously.
In the end, technology can do a lot to protect precious corporateassets, but it can go only so far. The rest is up to the users. "Youcan have a really nice garage, but if there's no door on it, it's wideopen for a car thief," says Hughes. The harder the CSO works to makeusers the responsible stewards of corporate data, the safer a companywill ultimately be.