People are still the biggest security vulnerability

There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage.

ESG Research recently conducted a project focused on confidential data security that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures for protecting confidential data, nearly half of all respondents said, "communicating and training users on confidential data security policies." This was the top response followed by, "physical security," and "access controls for private data."

Now here's the scary part. When asked to rate their organizations performance with regard to, "communicating and training users on confidential data security policies," more than one-fourth of security professionals gave their organization a rating of either "fair" or "poor." In other words, many organizations aren't doing a good job in the most important aspect related to data privacy and security-communicating and training employees. Yikes!

This problem appears to be more acute in Europe than North America. In North America, "only" 24 percent of security professionals responded either "fair" or "poor," while in Europe, the number increased to 38 percent. The problem is also more pronounced in the public sector where 34 percent of security professionals gave their organization a "fair" or "poor" rating. Finally, there is also a correlation with organizational size as larger firms do a better job at "communicating and training users on confidential data security policies" than smaller ones.

To me, the message is clear and frightening. The "people" part of information security (i.e. the most important part) is being minimized or managed very poorly. No wonder there are so many breaches! If this problem isn't addressed, we may as well give up. You could invest $1 billion in security technologies but if your people don't know about or understand the problem, you may as well leave the corporate networks wide open.

[Pishkado]

If you ask 1,000 drivers to rate the quality of their driving versus the quality of the maintenance their car gets, most of them will rate their driving higher. If you ask 1,000 mechanics to rate the quality of the maintenance they provide versus the quality of the average person's driving, you'll get the opposite result.

So: a bunch of security professionals rated their organizations' performance on the technical stuff, for which they are presumably responsible, higher than its performance on the human side, which is largely the job of supervisors and managers. The only surprise here is that someone finds this meaningful enough to waste pixels on.

[screamapillar]

Actually it is the responsibility of the securitiy professionals to communicate the security policies etc, not managers and supervisors. It is an area of weakness for all technical based areas - communication, change management etc these are all done poorly. You'll find that most of these organisations either have no formal security policy or it is outdated/old or just gathering dust on some shelf. Policy communication, training, dissemination, evaluation etc is the responsbility of those implementing the policy and rarely are any of those done (particularly evaluation and thus the capacity to improve/respond).

I'm not sure what organisation you work for but their security is clearly in question if this is your view which is likely reinforced by the attitude of your organisation.

[dracoaffectus]

Hmm, even though I'm sure it is true that people are the biggest security vulnerability, the study sounds a bit fishy to me..

I say this because, as you said in your opening sentence, it is already a commonly held belief in the security world that people are the weakest link in security. And many people probably belief this even though they have no direct proof. So to ask a group of security people, who already believe this to be true with or without proof, what the biggest security vulnerability is doesn't seem like actual evidence that the statement is true. Instead, the study seems to just be confirming that many security professionals still believe that people are the weakest link in security.

My point is...they didn't actually prove anything.

Just to drive my point home...Let's I wanted to prove that you "catch more flies with honey than with vinegar", which is a (fairly) common adage. If I used a study that's analogous to the one described in this article, I might simply ask a group of people for the best way to catch flies. Of course, most of them will tell me that I can catch more flies with honey than with vinegar, but that doesn't make it right.

[pjhenry1216]

On a side note, the old adage is actually false. You get more flies with vinegar, though I suppose it could vary amongst species.

In any case, I think evidence supports the security specialists. A majority of malware, adware, viruses, etc. can only infect the computer with the user's help. They should just do a study and ask 1000 people not in the tech field and 1000 security specialists if they've ever been infected with a malicious software. I'm betting one group will do better and I bet a good reason is that they have training.

[brikj]

Anybody besides me ever notice the paradox that results when taking a system that is designed to share information then attempting to prevent it from sharing information.

[screamapillar]

We 'people' also have the added problem of poor policies designed by the security professionals. For example, the convoluted password requriements these days. They do not take into account that not all human beings have photographic memories. If you ask me to change my password every 30 days and the new one can't resemble the old one and it must have non-alphabet characters and must be at least 8 digits long and etc etc etc - how the hell do I remember it? Oh yeah, it's on the sticky note stuck to my screen. Ok now add to this: so I have 28 different passwords I need to remember - and you as the security 'expert' are aware of that but clearly don't give a toss. Now I just have a list on the sticky note with each one idenfitied as what they are for. Woops, how did that breach happen? Oh right, it was BECAUSE of the security policy.

Now I don't do that but many, many people do. We all know people with their pin in their purse/wallet with their credit card and it is one of the easier passwords for them (and one that they value - why would they value you the business security if you do not communicate your rationale to them?). You are dealing with a generational gap here with passwords etc being a foreign and difficult task. The security 'experts' have a logico-mathematical brain that copes well alpha-numeric patterns. This is RARE in human beings overall. Combatting the issues of passwords with security policies that don't take that into account is ignorant at best, self-sabotaging at worst.

And this is only one example of bad policy of many.

What we have is policies being made without consultation and then enforced without communciation or training. This is the reality of IT security and until these experts understand that people exist and do work and have business needs at the other end of that IP address they will always rate poorly.

[timupton]

I wish that these findings were more surprising, but when security policy is buried on the intranet somewhere, or even worse, in a dusty binder on the back shelf, employees can't be expected to understand how to handle their data. While security policy needs to be established and communicated, it goes against human nature for employees to keep this top of mind with every piece of information they handle. Enterprises need to find ways to reinforce policy day in, day out with users in order to make the nuances of the security policy truly understood.

Technology has the potential to be an enabler when it comes to security policy, and classification technology is a great example of how some enterprises are already doing this. Users become aware of the sensitivity of information as they label emails and documents. The end result is great consciousness amongst users, and improved security when it comes to handling the data.