SINGAPORE--Security experts are calling for greater emphasis on human factors in dealing with IT security risks and reiterating the need for technology to be the last line of defense.
Speaking at the Enterprise Information Security 2010 conference held here Tuesday, Fuller Yu, vice president of resiliency and IT risk management at JP Morgan Hong Kong, said the key to protecting sensitive data is to inculcate an environment where employees are educated and aware about potential risks. He revealed that the financial services company requires all its staff, as well as third-party vendors that have access to JP Morgan's data, to undergo IT security training.
Yu explained: "The training is to ensure staff members take responsibility in maintaining data security. You will take very good care of your mobile phone and money, so this applies to data at work. If there is no proper training, people may shirk responsibility and say this information does not belong to me."
He also urged senior IT executives to start similar training programs as education is a "multi-investment and most effective way" of keeping the organization's sensitive data and transactions at bay. It is not enough to simply rely on technology alone, he said.
Muhammed Dawud Saifullah, head of IT infrastructure at Celcom Axiata, concurred. He acknowledged that while most organizations would have to work within a limited amount of resources, they should evaluate the feasibility of increasing efforts on training staff members to better handle security matters.
Also a speaker at the conference, Saifullah suggested using branding and marketing tactics, such as corporate wallpaper with a one-sentence reminder highlighting "safety" best practices to drive home the message. Such "motivation" efforts are especially relevant in combating security attacks which carry a sociological element, he said.
He pointed to Kevin Mitnick, the infamous IT hacker who, among other crimes he committed, was able to obtain the source codes of a Motorola mobile phone simply by speaking to a staff member and "dropping names".
Saifullah said studies have shown that it is human nature to respond to familiarity and form relationships, and Mitnick took advantage of this trait and deployed social engineering to gain sensitive information.
"For you to secure the infrastructure, you need to look at what motivates people to act the way they do, then come up with initiatives such as slogans or mascots. With greater understanding comes better security behavior," he said.
However, he cautioned against implementing tough penalties on any breach of security protocols as it is proven that security effectiveness is inversely proportionate to the severity of the punishment. "Whereas, if employees buy-in [to the idea], then it becomes a motivational factor [to comply with the protocols]," he said.
Deepak Rout, chief information security officer at Uninor, added that if IT departments feel the need to implement "penalty" for policy breaches, these should be linked to HR (human resource) policies to ensure effective results.
UAE faces government challenge
While enterprises today are faced with multitudinal security issues in the workplace, those operating in United Arab Emirates (UAE) have more issues to address, according to Samir Abdullah, director of fixed and core network security at du, a telecommunication services provider based in the UAE.
Samir, who also spoke at the conference, explained that operators in the local telecom industry have to comply strictly with regulatory guidelines and need extra manpower to monitor certain applications such as Skype.
"You always keep a certain percentage [of the budget] dedicated for security, and enterprises have to be mindful that this is an expense that they have to consider," he explained.
Tuesday, November 23, 2010
Subscribe to:
Post Comments (Atom)
Posts
I think this article is fascinating in that it incorporates company culture and human motivation into a part of the necessary line of defense against information security threats. However, I would question the applicability of some of the interviewees' input to U.S. work culture (not that the poster was arguing that the U.S. should have the same corporate mindsets - this is just commentary on the relevance of the article to the U.S.). For example, the article cites JP Morgan Hong Kong's Fuller Yu: "'If there is no proper training, people may shirk responsibility and say this information does not belong to me.'"
ReplyDeleteIt seems in the case studies we've read thus far, that the problem wasn't motivation but rather lack of knowledge on the part of the lower ranking employees. I would say motivation is a problem among higher ups, instead. Think of Bob Turley, for example, whose employee, Joanne practically killed herself trying to help the situation, while he drank some coffee and tried to watch TV in his hotel room while thinking about how to save his reputation. Also, we saw in the CareGroup case that it was the overall strategy in their BCP (which is designed by management) that was the core problem leading to the network getting so out of spec. Of course, there is always going to be room for more motivation on everyone's part to maintain good standards for information security practices, but I think in the case studies we've looked at that are based in America, our corporate cultures might suggest motivation is lacking more on the side of management rather than the standard employees.