There’s a saying ‘do as I say, not as I do,’ which seems to resonate in the executive corridor of far too many organizations. In this cautionary tale, we use the saying to create a fictitious scenario. This is created to illustrate just how dangerous double standards can be with applied to information security policies and procedures. Our unfortunate protagonist is the managing director, who believes the rules don’t apply to him.
The headlines said it all. Tom Smith’s company was splashed across the news and he knew someone in his company was in trouble. As a call center, it wasn’t just his own database that was now hanging out to virtually dry, but also those of his 400+ clients, which contained some very personal information. He wasted no time. Someone was to blame, and the root of the problem had to be dug up. Tom contacted his Chief Information Security Officer, Rob Banks. The instruction was simple: find the source of the leak, plug it and whoever was responsible was out.
Rob wasted no time in trying to find who was to blame, and Tom was more than happy for him to do so. Of course, being interviewed by Rob was weird, but his thoroughness demonstrated that he was taking the situation seriously. As they sat down, Tom reassured Rob that he should treat him as he would ‘any other suspect’ and forget their respective positions within the organisation.
So Rob did.
Rob’s first question caught Tom a little off guard. Yes, he’d seen, read and understood the policies and procedures surrounding information governance. In fact, he’d been instrumental in helping Rob write them!
Rob moved quickly on to security policy, Tom began to feel like a suspect. He confessed he hadn’t changed his password recently even when the message flashed up prompting him to do so. Making up new complex passwords is not best done under pressure. Yes, in an ideal world, he would change it every four weeks but in reality who was actually doing that? The fact that everyone Rob had spoken to so far said they knew the rules, didn’t mean they actually were following them. And his comment that Tom was in violation of the security policy was just churlish.
Rob asked Tom if he was aware of the protective technologies the organization had deployed to provide a formidable security blanket. Aware of them, Tom had had to sit through endless presentations with Rob from various vendors touting them. The social engineering test that the penetration team had conducted was infamous with the stunts it had pulled. Tom was quick to remind Rob that every highlighted area had been addressed, with no expense spared.
Tom’s encryption habits were the next element Rob scrutinized. Tom had to admit he hadn’t upgraded the program on his PC yet as he was worried about compatibility problems opening older files. He’d started to do it, but he’d been under pressure and it was taking so long, so he’d had to abort it. This didn’t mean he wouldn’t. When he confessed he’d ‘switched off’ encryption on his laptop, Rob became really agitated. In Tom’s defense, it had slowed down performance, although not by a huge amount, and Rob had to realize that every second counts. Yes, Tom agreed, he knew this violated the security policy.
Rob’s interrogation continued. This time he how many other devices Tom used during the day. A little more bullish, Tom pulled out his corporate owned smartphone that he used for emails. Rob asked if there were any ‘personal’ devices Tom owned and, rather proudly, Tom pulled his shiny new iPhone 4S and laid it rather tenderly on the table. He didn’t use it for business so it was okay he’d not told anyone. Rob snatched it up and his horrified expression said it all as he accessed Tom’s personal hotmail account and started looking at the various messages, complete with attachments Tom had forwarded to himself. ‘It’s got a better screen to see the graphs and charts on’ sounded a little hollow to even his own ears, and Tom knew what was coming next. It was a clear violation of the security policy.
In for a penny, in for a pound, Tom decided to come clean about his iPad. He’d wanted to work on the train and the laptop was just so cumbersome to haul back and forth, so this was far more convenient. He’d transferred some documents to work on—the payroll, some R&D reports, a few tenders, and of course the latest board minutes. He’d never dream of moving a whole database to it! Rob then showed him how he could access the corporate SharePoint site and its Aladdin’s cave of information. If only Tom had known, he could have been so much more productive. Rob did warn that this too was a violation of the security policy.
Rob moved on to examine Tom’s laptop computer and it didn’t take long to identify the malware skulking in its operating system, spewing passwords and login credentials across the ether. Rob had identified where the leak was and could plug it. The question was, did Tom still want the person responsible out?
So, what does this scenario demonstrate? Even if an organization is doing all the right things, if the people within it aren’t, then it’s all for nothing. It would seem that although security and governance issues are increasingly being discussed at board level, the perception remains that senior personnel believe that IT security policies and procedures apply to the general workforce, but they don’t necessarily practice what they preach.
When data loss has become a daily news headline and regulators are hitting hard on organizations with lax attitudes towards data security, IT departments should be able to count on their board members and senior management teams to lead by example.
To prevent falling into the same trap organisations need to take an enterprise approach to IT security awareness programs and take the following steps:
- Introduce policies and procedures that keep the organisation safe
- Write them clearly so everyone can understand them
- Think carefully when signing off policies and procedures about whether the measures outlined are workable in daily practice. People will always find ways around rules that prevent them from doing their jobs effectively.
- Improve IT security education, so that every single person not only knows what they should be doing, but also why they’re doing it and the consequences of not following them.
- Differentiate IT security awareness programs, so people don't get bogged down with policies and procedures that don't apply to them. People are far more likely to remember and adhere to security rules that are applicable and relate to their job function.
- Regularly update policies and make sure everyone knows when this has happened
- Important security practices and technologies should be enforced without the option to be overridden
- Disciplinary action should be applied consistently across the organization when an infringement occurs.
Information Security Training and Awareness Are Important
The ABCs of a Persuasive Security Awareness Program
Creating a Culture of Security Awareness
6 Steps to Security Policy Excellence
Dominic Saunders is Senior Vice President of the NETconsent business unit at Cryptzone. The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk in the key areas of Policy Compliance, Content Security, Secure Access and Endpoint Security. For more information visit www.cryptzone.com.