The continued trend towards a completely mobile world where information can be accessed at any time, from anywhere, with any device places a new emphasis on us all to take responsibility for the information that is entrusted to us.
This is all very well but it expects everyone to be an expert in information risk management ; not an easy task with limited training, never mind passion and desire! Here’s my clarion call for ‘appropriate’ IRM and training and awareness in 2014.
In a mobile world the responsibility is on you
The new Government Security Classification Scheme kicks into effect on 2nd April 2014. Whilst there are still a number of doubting Toms (including some here at Ascentor) the fact is that most Government organisations are making a concerted effort to comply with the spirit of the policy. Principle 2 of the new policy states that everyone has to take responsibility for the information they are entrusted with:
“EVERYONE who works with Government (including staff, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any HMG information or data that they access, irrespective of whether it is marked or not, and must be provided with appropriate training.”
We can’t avoid that fact that we are now a mobile workforce that demands access to the tools and information that enables us to work whenever and wherever we want.
- Bring Your Own Device (BYOD) is fast becoming a workforce must have rather than a nice to have. Companies without BYOD policies are sticking their collective management heads in the sand if they think this is not the case.
- Cloud-based services are becoming the norm for organisations looking to decrease the cost of their in-house IT and actually get better at security; even Microsoft Office 365 has achieved CESG accreditation (in a certain context).
“Microsoft’s public cloud productivity suite for email, collaboration and unified communications, including web conferencing, is now accredited to store and communicate data securely up to the UK Government’s Impact Level 2 classification.”
Source: Microsoft UK Government Blog
What is “appropriate training”?
Those responsible for the new UK Government Security Classification Scheme have got one thing absolutely spot on; users must be provided with appropriate training. The trouble is, what does “appropriate” actually mean?
Making users responsible for safeguarding information (HMG or otherwise) effectively means that the onus for protecting the confidentiality of the information has moved from the organisation to the user. The emphasis on organisations is now solely about providing availability, leaving the confidentiality aspects up to the user. As long as the end user receives “appropriate training” all will be well – won’t it?
Those that have been working in information security for the last umpteen years will know that learning how to protect the confidentiality of information is no easy matter. There are many factors to consider:
Physical Security : You need to consider the environment – is it safe to view the information? Are there people watching to learn your PIN number to access your device? Are people able to see the information displayed on your screen? Can I take me device on the train?
Procedural Security : What happens when the device is lost or stolen? What action should be taken and how quickly should it be reported? Will the user expect to be in trouble and therefore less likely to report the loss or theft? What happens if a virus is detected? The user needs to understand how to react to ensure any compromise is contained quickly and efficiently.
Technical Security : The technical security issues are probably the most challenging. Does the device need to encrypted and if so, to what level? What encryption protocols need to be used when communicating over the Internet? HTTPS is fairly well understood but how does a user determine the encryption being used by non-browser based applications? Does the device they are using need to be protected by a password or PIN? If so, what complexity is appropriate? Can the user do local backups? Cloud backups? The list goes on and on.
Personnel Security : Can the user share information with other users? What are their clearance levels? How can this be confirmed? Have they also received “appropriate training”?
Making sure EVERYONE understands security
So, “appropriate training” means making EVERYONE really understand security. This does not mean they have to be experts in the subject (although that would help) but they need to understand more than just the fundamentals and really care about their responsibilities.
Information security is not the most exciting of topics for most people and without a genuine interest in the subject, training is likely to go in one ear and straight out of the other. To quote a couple of well-known sayings in the IT Helpdesk world:
“Users need re-training after a lunch break.”
“Users are so dense, light bends around them.”
So is training & awareness the answer?
It has to be! Empowering users to make decisions about information security means they must understand their responsibilities. Organisations have a duty of care to ensure that no user is entrusted with information before they have confidence that the user knows what to do, how to do it and when to do it. If there is any doubt, don’t give them the responsibility in the first place – they will only mess it up and cite a lack of “appropriate training” as their excuse. Who’s responsible thenâ€¦â€¦â€¦â€¦â€¦â€¦..?
So, please Santa, do the cyber security world a favour and bring us some “appropriate training” in 2014. Otherwise, the bad guys may get some brilliant Christmas presents next year!
Perhaps we can help.