October 4, 2014

A case for security awareness

There are many circulating requirements for maintaining a security awareness and education program, particularly if you work under the National Industrial Security Program (NISPOM) or in any government organization (such as the Department of Defense). Unfortunately, many organizations, whether private or public sector, neglect to properly invest into this type of program. This often leads to an increased risk of future security breaches. Employee negligence through risky behavior is one of the main contributors to major data losses. In the Global State of Information Security Survey 2015, which surveyed over 9,700 executive level officers from 154 different countries, most respondents attributed the cause of most security incidents to employees. The survey report shows that security incidents increased by 66% year after year since 2009. The number of respondents who reported losses of $20 million or more doubled over the previous year. Large breaches can have significant financial repercussions through legal litigation, large fines, or worse. Potentially the implications for major breaches in public sector organizations could impact national security. 

Data breach stories.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated Skagit County, Washington government for a Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security breach. Skagit County is a small municipality in the Northwest with a population of less than 200,000. Electronic protected health information (ePHI) of over 1,500 individuals were accessed by unknown parties after the county accidentally moved ePHI to one of their publicly accessible servers. Many of the accessible files included protected health information concerning the testing and treatment of infectious diseases. Due to this accident, the Skagit County Government agreed to a $215,000 settlement and to work closely with HHS on correcting HIPAA compliance issues.  This is only one of many stories of costly breaches caused by negligence.

In 2011, attackers breached RSA's networks to access highly secure areas by targeting employees through a combination of social engineering with phishing. RSA is the security division of the EMC Corporation. The information gained from RSA was later used to mount attacks against major defense contractor Lockheed Martin. As a company specializing in security, this posed embarrassing. RSA had its networks accidentally breached through the human element. They estimated the breach cleanup cost them approximately $66 million.

These are only a couple of real life examples of costly breaches caused by negligence. 

Another worrisome trend from the report is that despite the security risk increase, many organizations hurt themselves further by opting to reduce security budgets and decrease fundamental protection practices such as awareness programs. You cannot reduce risk if you decrease the very items that address it. Employees do not intentionally create unnecessary risk, but often do so due to a simple lack of necessary awareness and training.  I am a firm believer that most people have good intentions, but simply lack the appropriate knowledge when it comes to security. How can you expect anybody to protect sensitive information they have been entrusted with if they were never properly trained? They cannot comply with policies and procedures that they do not know about. Your security program can only be as strong as your weakest link, which is all too often the human element. In the security arena, an ounce of prevention is worth far more than a pound of cure. 

"[A]wareness mitigates non-technical issues that technology can't...you will find that security awareness is one of the most reliable security measures available."
-Ira Winkler, President of the Internet Security Advisory Group and one of the most influential security professionals. 
Viable security awareness and education programs help develop a strong security culture that greatly helps in preventing breaches. If done correctly, it enhances the overall security program by empower your workforce to be security advocates. This is why there are so many regulations requiring one. Through awareness and education you impart the security knowledge the workforce needs to be an active component in your security program. 

A security awareness success story

In mid-2014, Computer World created a proactive awareness program in response to a developing Syrian Electronic Army (SEA) threat. The program detailed what employees should lookout for, what to expect, and how to respond to SEA's typical tactics. When employees began to receive the SEA spearphishing messages, they knew how to recognize it and reported in accordance with their training. The employees were able to prevent a computer breach because they were equipped with the right information.

1 comment:

  1. So, setting records was rewarding. Also, it’s rewarding to see what you wrote into a script being in the final outcome of the film.