After 6 years of faffing around, my Core Concept Security website is finally up and running! Click (https://coreconceptsecurity.com).
It’s very basic, so I should be grateful for your comments / suggestions on improvement.
Many thanks,
David
Like a ‘service on the Internet’ – which we’ve had for decades – is now called The Cloud, Human Resources is now known by more touchy-feely names. Talent, People, Employee Success, all sound great, but they don’t represent a fundamental shift in the functions they perform. Or even HOW they perform those function from what I’ve seen.
Regardless of what the department is called, I’ve never seen one take an active part in their organisation’s security program. Not one, in the better part of 20 years, and as I hope to demonstrate, this a significant loss to everyone concerned.
HR are usually the very first people in an organisation that you talk to, often even before the interview process begins. They are first ones who can instill the security culture in new candidates from the get-go. Anyone who has tried to implement a security awareness program knows that the loss of this ‘first impression’ makes the task exceedingly difficult. Unnecessarily so. If the joiners had just been told how important security is, AND received appropriate training, they would just accept it as a fact of life. Try and force it on them after they have already learned the bad behaviours and your impact is enormously reduced.
The fact is most HR departments are not geared to perform any of the above functions. They are simply not trained to do so. I can’t help thinking this is a terrible waste.
I’d actually love to hear from some HR folks, even if you’re gonna tell me I’m way out of line! 🙂
[If you liked this article, please share! Want more like it, subscribe!]
Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 (non-paid advertising) spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.
This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.
From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “Acme Co. Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.
I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;
Ransomware is NOT a TECHNOLOGY problem!!
If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.
Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so suck-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.
Harsh? Yes, absolutely, because the basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;
So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:
SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.
[If you liked this article, please share! Want more like it, subscribe!]
I really should give up being surprised when the most basic of information security fundamentals are performed poorly, but this one constantly amazes me. I guess it’s no different than a doctor being surprised at smokers, or the police surprised at repeat offenders, we can accept as common sense what others perceive as new concepts.
Education and Training is so important that I have listed it as one of The 4 Foundations of Security, along with Management Buy-In, Policies and Procedures, and Governance. The fact is that education is the best and cheapest way for an organisation to implement the desired organisational culture, and distribute the policies and procedures in a manner where they actually understood and followed.
The intent of PCI DSS Requirement 12.6.x is to ensure all employees are trained in their security responsibilities as they relate to the protection of cardholder data. That’s it, just cardholder data, so you can obviously ignore every other form of sensitive data in you environment, right? What about your financial data, or intellectual property, or personal data? Unfortunately you cannot go above and beyond in PCI unless it relates to the protection of cardholder data, so with the exception of perhaps frequency of training, there’s not a lot you can do here.
That’s for PCI though, for your BUSINESS it’s a very different matter, and there is a lot you can do to add true benefit across the organisation. Not just in terms of security either.
The mistake most organisations make is the assumption that security education and training only refers to things like keeping your passwords secret, or not lending out your swipe cards. Yes, training includes these things, but it starts with a thorough coverage of all relevant policies and procedures. I say relevant, because you’re not – for example – going to train your sale team on the proper implementation of firewall configuration standards.
Training is not just some paperwork exercise during on-boarding, then an annual obligation thereafter, it’s the way you bring someone into your organisation and have them up to speed and productive in the fastest time possible. It’s also how you begin to instil the corporate culture (i.e. your policies), and how you ensure that they are performing their duties in-line with standard practices (i.e. your procedures).
Once they have the basics, you can move on to role specific training, and then, if you’re REALLY doing this properly, you will have the individual job specifications detailed to the point where anyone being on-boarded can step straight into the leavers’ shoes with barely a backwards step.
That’s really the whole point; security awareness training is NOT just a compliance obligation, it’s an integral part of your business continuity and knowledge management processes. It can be the difference between a constant reinvention of the wheel every time you have a mover or leaver, and uninterrupted growth. You may argue that this is more than just security awareness education and training, but I will counter that without proper knowledge, there IS no security.
While I agree that every time there is a staff change, the training itself should be reviewed and revamped as appropriate (preferably by the person bringing the new pair of eyes to it), NO-ONE who is just starting should have to work out anything for themselves on how to perform the function to which they have been assigned. At least to a minimum standard. Unless of course it’s a brand new role, in which case they will be responsible to develop and document everything necessary to replace themselves in time.
Too often this is seen as making yourself replaceable, but if you can’t be replaced, how can you move up, or even across?
To perform security awareness and training properly, follow these steps:
1. Like access control, the best way to begin developing a good training program is to properly define the requirements, first at a ‘corporate’ level (everyone), then at a more granular ‘role’ level (sales, systems admins. etc.), and finally at an ‘individual’ level.
2. Once this matrix is complete, combine this ‘paperwork’ into an online delivery mechanism which is a combination Document Management System (DMS) and distribution method. That’s really all online training software is; content management.
3. Run everyone through the program, regardless of tenure, and regardless of when they last took it. Track all ‘signatures’ (an online ‘I Accept’ will suffice).
4. Run training again at a minimum annually, but preferably every 6 months. A good balance is full course annually, and Top 10 Things to Remember at the 6 month mark.
5. Throughout the year, use this distribution method to announce major changes to policies and procedures, as well as ‘zero day’ threats (new phishing techniques for example), for significant changes to relevant compliance regulations or laws, and any ad hoc matter for which you require – for liability purposes – a written confirmation of acceptance.
6. Provide a robust feedback loop and standardised forms for all personnel to request policy / procedures changes, or to create new ones.
I’ve not touched here on the actual content of the security training, it’s too organisation / sector specific, but there are certainly some basics (101 stuff as the Americans would say). However, the development of a comprehensive and sustainable training program requires specialist skills and experience, so make the effort and expense, there’s not one investment you can make that has a greater ROI.
I am constantly surprised and disappointed that the Policy Set (policies, standards, procedures, and guidelines) aren’t taken more seriously. They are the blueprint of your corporate culture, the single most important aspect of your security program, and by far the easiest and cheapest things to put together (in terms of capital costs anyway).
Even a ‘controls only’ standard like the PCI DSS is roughly 40% ‘paperwork’, but, with the possible exception of the risk assessment, remains the most common tick-in-the-box exercise of them all. Which is a shame really, as it should be enough that thieves want to steal your data, to make things worse by not preventing your own employees from virtually giving it away is just plain dumb?
A Policy Set generally consist of 4 main components:
However, you can have the most polished documentation ever, and still completely miss the mark. It’s not about the paperwork itself, it’s about the enforcement of what’s IN the paperwork. A policy is only ever as good as the understanding of it, and the adherence to it.
Unfortunately, this is where most organisation fall down, and one or most of the following challenges apply:
I do not use the word ‘recommend’ lightly, but I HIGHLY recommend that before you implement ANY aspect of your security or compliance program, you get your Policy Set in place. At the VERY least do this in parallel with a risk assessment and business process mapping exercise.
While most high profile breaches focus on what went wrong technically, I can almost guarantee the original failure was one of education in the most basic of all security foundations; policies, standards, and procedures.
[If you liked this article, please share! Want more like it, subscribe!]