Specific threats like the latest virus or distributed-denial-of-service (DDoS) attacks against household name banks are not the most urgent security concerns to address, rather it’s “the user” that represents the most commonly exploited security vulnerability that will require heightened attention from chief information security officers (CISOs) in 2013, according to research by IT knowledge service provider Wisegate.
In this report, Wisegate shares the perspectives of CISO members from across industries on why the threat from internal computer users—in the office or on mobile devices—represents one of the greatest concerns in protecting corporate data.
“What emerged from the panel of security experts was an agreement that there is no one-size-fits-all answer to awareness training,” Tom Newton, CISO of Carillion Clinic, said in as statement. “CISOs need imagination and perseverance to get their message across, and often innovative methods of training from third-party vendors can be quite helpful.”
Companies should make clear to employees that they are “ultimately responsible for information security,” said Newton.
CISOs need to be creative and tap in to their in-house experts in marketing and training to help any awareness program be successful, the report said, and simple data classification labels such as “protected” or “unprotected” are the most effective with end users.
Survey results indicated a lack understanding of what data is sensitive and what data is not, and employees don’t necessarily know how to handle the different categories. As a result, sensitive data can be passed around and treated in an insecure manner.
Instead of assuming that staff, busy doing their nonsecurity jobs, will learn a complex taxonomy, CISOs should focus on how to make it easier for staff to figure out what they need to do, the Wisegate study results indicated.
“We didn’t do that in the beginning,” a CISO participant in the report said, “and a lot of what we thought that people were going to want was rejected.”
What emerged from the Wisegate panel preceding the report was an agreement that no single approach exists in awareness training. CISOs need imagination and perseverance to get their message across, keeping in mind the different ways (visually, verbally, socially) in which people learn. The report also recommended CISOs adopt an overall informal approach to help break down barriers to user reluctance in coming forward.
Wisegate also polled its members on techniques used to protect data during the development phase. The vast majority (80 percent) actually scrub or mask this data. The rest (20 percent) allow sensitive data to be used, but rely on access controls to protect it. Noticeably, none of the companies chose to generate substitute data to be used in place of real data.