You often hear airport TSA checkpoints described as “security theater” because despite their imposing presence and processes, passengers still sneak contraband onto commercial flights.
In IT, we see similar performances – and results. For us, security theater has manifested itself as the deployment of layers of technology like antivirus, Web filters, password policies, encryption, multi-factor authentication and on and on. When a breach and data loss does occur, IT does not hold itself liable because of all the measures that it used to try to prevent it.
The weakness of these measures is their inability to address data’s primary vulnerability: the employee. For example, I was talking to a colleague whose CSO forbids installing Dropbox clients because:
- The company will lose control of its data.
- Dropbox offers no ability to centrally manage or control the confidential content that might be stored there.
- It offers some limited ability to share data with other parties.
Yet Gmail has all these faults – or features, depending on who’s talking – and no one blocks Gmail. In addition, determined users can visit Dropbox.com and use the Web-based version. The result? Inconveniencing the employee in the name of security, without effectively protecting a lick of data.
But InformationWeek’s 2013 Strategic Security Survey reveals the beginnings of a sea of change among the information department and the enterprise as a whole: Seventy one percent of its respondents rated security awareness as either “effective” or “very effective.”
Though security is taking a larger portion of the IT budget, less of that money is going toward hardware and software. Instead, rather than attacking the problem with technology, IT’s facing it with training. Why?
- For the average employee, data theft is no longer an abstraction. They don’t know the science behind it, but they largely understand that it’s going on. They may have had an account closed due to unauthorized activity, or know someone it’s happened to.
- IT departments have hardened systems that make social engineering the easiest access point for black hats. Two years ago hackers successfully attacked RSA when a spam filter blocked a virus laden email, but an HR admin couldn’t resist the subject line, “2011 Recruitment Plans.” Once the spreadsheet was opened, the virus was unleashed.
- No appropriate new technologies have gained traction in the last several years.
So, without throwing any new technology at the problem, IT is finally addressing the weakest link: the employee. This makes sense, since security risk management is about tools, but also processes, training and procedures.
Still, there’s a long way to go. While user training is high on corporate priority lists, InformationWeek found that only 5 percent train monthly and the majority, 53 percent, only train annually. Only 26 percent actually test for effectiveness.
Think about that for a second: No IT department would deploy new technology without thoroughly testing it, yet 74 percent of companies don’t test for the effectiveness of security training.
Meantime, the nature of testing is changing. Rather than a multiple choice at the end of a PowerPoint presentation, try regularly sending a company-crafted phishing scam like the one sent around RSA. (Software packages like TrustedSec’s Social-Engineer Toolkit, can help you automate much of this.) Users who fail one test might get a short video to refresh their security awareness. However you remedy such situations, it’s a real-world approach to gauging employees’ knowledge and educating them about the risk they may unwittingly pose to your organization.