The role of User Behaviour and Security Hygiene in Information Security

What is the difference between Information Security and Cyber Security?

Information is a critical asset in the operation of any business. The data you capture, record and share every day is the very definition of your relationships with vendors and customers, as well as the foundation for your internal operations and business processes.

Information security, cyber security, data security, IT security, ICT security, data security – do they all mean the same thing? No, they don’t, although the terms are often used interchangeably.  For example, Information security is about the protection of information, regardless of whether it is stored digitally or not.

Here is a diagram that highlights this approach: (original diagram from CCIS security versus information security)

 

Data security is about securing data – which brings us to look at what the difference could be between information and data. Data on its own carries no meaning. Data becomes information when it is interpreted in a context and given meaning – for example, a sequence of numbers that could be a representation of a birth date.

“Information security is about safeguarding these critical information assets, ensuring the integrity of the data on which you base decisions and transactions, its availability to your business operations and its confidentiality for both you and your customers. It is a process of putting policies, procedures and technical mechanisms in place to protect, detect and correct problems before they threaten your business. And make no mistake – anything that threatens your information systems does threaten your business,” states a white paper on the subject.

Quoting from Infosecurity Magazine, who also host the event of the same name:  Speaking at Infosecurity Europe June 2017 Professor Angela Sasse, director, UK Research Institute in Science of Cyber Security, UCL, said that good security is not just about having ‘better’ policies as a lot of security policies are very counterproductive if they "do not work for people.”

As a result, Professor Sasse claimed it’s now time for a shift in thinking if we are to improve user behaviour, with particular focus on moving away from the notion that the human is the ‘weakest link’ in security who should take the blame for security issues.

“There is this need to reshape the relationship between the IT security team in an organisation and the people who use IT security,” she added.

Users must become more involved as they know more, and demand more availability.

There are two areas of user that we need to take into consideration – users in the workplace as employees; and individual personal users whose bypassing of security could also inadvertently end up affecting your business as well as that of your clients.

Today’s networks and systems are faced with the conflicting goals of availability, security and scalability. Users are most concerned with availability – they want to use the tools of their job and, of course, you want that as well. When they perceive information security procedures as interfering with their workflow or personal agenda, they often defeat those procedures either unwittingly or intentionally.

To further quote the white paper on the role of user behavior in Information Security:

“Users today are more sophisticated about technology’s capabilities than ever before; some of them have never known a world without computers and Internet access. They use a greater variety of mobile devices, all with robust computing power, from smartphones and cellular devices, to netbooks and laptops, to multimedia devices like MP3 players, digital video recorders, digital cameras and gaming systems. They have more experience with data portability, so they know how easily digital data can be shared, moved, distributed and repurposed. They know how to sync their portable devices with home and work networks, how to transfer files for use on multiple devices and how to connect everything from phones to televisions and game systems to the Internet.

Most of the people who use your network are perfectly comfortable with the processes of sharing data, because they do it every day at every level of their lives.

As the Internet of Things, and the Internet of Everything becomes ever more prevalent in how we live our interconnected lives, we occupy a digital world where families share digitised grocery lists, contact lists, online photo albums and downloaded games; social networks share blogs and tweets, connect through facebook, meet online to play together in Massive Multiplayer Role Playing Games (MMRPG), and keep track of each other with breadcrumb trails on web-based community maps.

So when you offer them access to your intranet or databases, sharing will come naturally to them. And this is when your organisation's effective communication of methods and procedures to your workforce becomes essential to the hygiene of your information security systems.

But They Don’t Know What They Don’t Know

Unfortunately, many users are naïve about their role in defending your information systems, and understandably so. The risks and vulnerabilities can be difficult to comprehend and harder to anticipate. Information security thinking is often server and desktop focused, giving virtually no attention to protecting the mobile and portable technologies many workers use most. Even experts who focus on security issues can be challenged to keep up with the increasing threats to today’s digital data.

If confidential information about your customers, your finances or your new product line falls into the hands of a competitor, you can lose your competitive advantage at best or suffer significant market losses at worst. Data and privacy compromises make the news today; a security breach that puts your name in the headlines cannot only damage your reputation and your credit rating, but can leave you exposed to lawsuits and even bankruptcy.

Increasingly, government is responding to concerns about information privacy and security, creating new regulations about how customer and financial information should be protected. Failure to comply with these regulations can result in punitive fines, lawsuits and even personal liability for breaches. Every one of these risks carries with it significant associated costs – ranging from the predictable, such as operational losses while you identify and correct the problem, to the unpredictable, such as the time and money you’ll need to invest to rehabilitate your marketplace image. If you can manage the risks proactively, you can reduce your total cost of information system ownership simply by saving your organisation innumerable complications.

Quoting again from Infosecurity magazine blog, Professor Angela Sasse who has been speaking at Info Security 2017, outlined a couple of points to get security to work for people in an effective way.

The first of these is realising that, for security experts, security is the main priority, but that is not the case for the vast majority of a workforce who are focused on their day-to-day jobs. “It’s your (security experts’) responsibility to design security that fits with individuals’ tasks and the organisation’s business process.”

The second, Sasse continued, is that security communications must be NEAT–

  • Necessary
  • Explained
  • Actionable
  • Tested

“Very few people don’t care about security, it’s just that they can’t pay attention when they are overloaded or feel like they are being told to do things that don't work or offer them anything.

“Advice must be given in a simple, concrete format.”

The importance of internal communication in your organisation: 

How are you helping your workforce to have strong information security behaviour, and to keep up with the many changes that occur?

They don’t know what you haven’t told them.

Users can suffer from a lack of clarity about information security. As basic as it sounds, many organisations do an inadequate job of defining and implementing good policies, counting instead on compliance measures, technical mechanisms or a thinly staffed, overworked (and sometimes even non-existent) security team to protect them. Even those organisations that have thought through their information security policies often do a poor job of communicating them to users. Many security systems are entirely undocumented.

Adhering to proper procedure: 

Don’t make it easy for users to dismiss compliance procedures as roadblocks to productivity - the best and smartest of your people, intent on getting their jobs done, will simply work around your security systems, which could mean unauthorised access sharing, intentional defeat of technical limits or the connection of unapproved equipment to your network.

Others will merely halfheartedly follow your poorly explained procedures – and in this way lies the madness of passwords posted on sticky notes, as a quick example.

There is a realisation that security awareness and education alone are not the answer, as there is no cure for a lack of security hygiene with unworkable policies or useless tools.

“What you want is a change in undesirable behaviours – this is neither a quick nor cheap option, and it’s not a job for amateurs.” Professor Sasse says her key piece of advice for companies looking to improve the behaviour of their users is through engaging with them, and to really mean it.

 

Compiled by Karin Dubois, Network Group, with acknowledgement to Infosecurity Magazine