Saahil Goel Information Security And Awareness Amongst Top Management
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Saahil Goel Information Security And Awareness Amongst Top Management as PDF for free.
More details
- Words: 5,402
- Pages: 12
Information Security Awareness Amongst Top Management Joseph M. Katz Graduate School of Business
November 26, 2007
University of Pittsburgh
Information Security has increasingly become a critical IS management issue amongst businesses. Majority of the problem arises because of lack of proper understanding amongst business and IT leaders of negative effects of lack of information security…
Author: Saahil Goel
Executive Summary
I
nformation is the lifeblood of almost every organization in today’s electronic communication oriented world. IT has changed its position drastically from once being a support function to becoming the chief business driver. Even though information systems are so heavily relied upon by businesses, the same kind of importance is not given to securing this information. While it seems obviously logical to protect information which is so sensitive to the workings of many companies, in reality many companies do not consider information protection to be a critical issue. Most of the issue exists because of the attitude that business leaders and decision-makers have towards information security implementation initiatives. Most business leaders view information security as a purely IT initiative rather than a company-wide one. Further, ignorance about the devastating effects that lack of information security can have further exacerbates the problem. By not investing in spreading (and learning) information security awareness, businesses expose themselves to various risks – such as lawsuits, loss of customer trust, loss of business, loss of sensitive information to competitors, etc. Business leaders need to understand that information security is as important as obtaining the information in the first place. This is especially relevant for businesses in the financial services industry. Companies in the FSI sector have sensitive customer information, loss of which not only affects the reputation of the company but may also cause actual financial losses to the customer. Also, because most transactions are electronic in the current banking environment, a hole in boundary protecting information can cause a lot of damage. Businesses need to make sure that information security decisions go hand in hand with all business decisions. For example, if a company is undergoing a merger with another company, it becomes imperative that information security considerations are given as much importance as is given to the actual consolidation of transactional and profile data from both companies. Also business leaders need to be made responsible and accountable for heading information security initiatives in companies rather than this responsibility being solely in the reigns of the information technology departments. Information security training is also something companies are embracing. However the rate of adoption is not very encouraging. Top management needs to ensure that in addition to learning about information security themselves, they also make the need for following stringent procedures and policies felt within their companies - right from the top to the bottom-most employees in a company. The threat posed by leakage of information can happen at any vertical in an organization; it is up to the business leaders to make sure that their attitude and their decisions support their organization’s ability to counter this threat at all levels. Not only should robust and technically advanced information security technology be implemented, it should be kept current and should be utilized to its maximum potential. Not only can information security implementations help companies prevent disasters that may be caused by information compromises, it can also help them save money and in some cases provide them with opportunities for additional business.
Page 2 of 12
The Issue, context and motivation
B
y and large, every organization has had their share of breach of information security. Information security breaches can be both internal and external – the former being the more dangerous kind. Internal breaches are of a higher concern since the attacker (or hacker) will have relevant information about the company and will know where the loop-holes exist. Other cases in which breaches arise could also be unintentional. In fact, awareness about information security is the key to reducing if not eliminating losses caused by compromise in security. Employers must take on the responsibility of training their employees about the possible effects of irresponsibility on their (employees) part towards following security guidelines. Further, business board members themselves need to be aware about the potential consequences of information security violations can have. With strong government regulations around security in organizations, such as Sarbanes Oxley 2002, organizations have taken measures to comply with regulation. However, awareness and a drive to protect information are still lacking. Organizations have been taking the reactive approach to solving information security problems rather than a proactive one. This is harmful in the long run for organizations. For example: all financial services companies, such as banks, insurance, trading companies, etc. maintain all their customer data online. If this information was to get in the wrong hands, the company could face a severely hurt reputation, lack of trust from its customers, lawsuits or even bankruptcy. Apart from saving a company from these troubles, a well implemented information security system also adds value to companies by providing cost benefits by enabling efficiency in the workplace. From the “2007 Global Security Survey” conducted by Deloitte Consulting LLP, 71% to 89% financial services companies across the globe feel that security has risen to the attention of the corporate board members as a critical area of business. However, only 0% to 18% financial services companies reported that their information security strategy is led and embraced by line and functional business leaders. Hence, information security is currently regarded purely a technology initiative. The real challenge with information security is that of spreading awareness and concern about information security to the business leaders in every organization so that it is given key importance in business functioning. Further, with increase in volume of businesses – both vertically and horizontally, complexity of technology and enterprise solutions and the global nature of the economy also lead to highly complex information security requirements and the risks that come along with not implementing the same. Information security is one aspect of technology and risk management which affects all organizations. Even though it might affect some organizations more than others (banks, insurance, government, universities, aviation, logistics, stock trading, online retailing) eventually it will have major impact on all kinds of organizations. In fact, governments in many countries other than the USA have not taken deep initiatives to move towards e-governance and electronic citizen maintenance yet – but it is imperative that at some point they will. To take an example even within the USA, there is discussion about digitizing all health records across all hospitals and universities in the United States to better serve patients and to make medical research easier Page 3 of 12
by collaborative knowledge sharing. This initiative will require strict security controls as any intended/unintended tampering/modification to information in this situation could mean the difference between life and death. Of all the issues related to information security, Identity and Access Management is usually considered one of the key issues from an organizational view point. According to Deloitte’s survey mentioned above, the top five initiatives of financial services organizations are Identity and Access Management, Security and Regulatory Compliance, Security training for awareness, governance for security and disaster recovery and business continuity. Identity and Access Management will become all the more important and difficult with governments implementing systems to authenticate citizens using centralized stores of database. Already governmental organizations such as the Federal Bureau of Investigation and Central Intelligence Agency have centralized and highly secure databases of information on criminal activity across the world. Within organizations information security (particularly identity and access management) is difficult to implement thoroughly mostly because of awareness and training. For example, even though a company’s IT department would drive management towards implementation of such a system, unless management sees a potential cost-saving such an initiative, they are not too supportive of it. This mindset needs to change. Top-level management needs to be more aware about the potential risks that they are open to and should openly adopt technology to secure them from this risk. Another difficulty arises because of the complexity and scope of information security systems. Before Sarbanes Oxley was enforced, most organizations worked with multiple systems (sometimes hundreds) having multiple digital identities. The digital identities were human controlled and de-centralized to various systems. As a result, people could have accesses to resources which should be normally restricted. Sometimes this was a result of pure carelessness human error. At other times, it was fueled by malicious intentions. To further illustrate the problem of accurate role definition with respect to digital identities consider this example - a system administrator, who is relatively low in the organizational hierarchy as compared to the sensitivity of the information being protected, had all the rights in the world to go into any system and grant anyone any access. This particular example illustrates that information security troubles need to be captured at the root level. In some companies this may even mean organizational re-structuring. Some companies who were converting to digital information security systems post SOX, even proper audit trails were not in place. This gave rise to many information security breaks and leaks – some which even went unreported. As a result of Sarbanes Oxley, organizations scrambled to secure their information and infrastructure. While larger corporations are able to do this by investing huge amounts of capital in enterprise wide systems which help efficient implementations of technology risk management solutions, many of the smaller companies compromised with self-built systems which are not long lasting nor provide any value addition to the companies. Even though technology risk management, information security, identity management and privacy are recognized as issues of importance by the government and some business leaders, there are no concrete guidelines in place on how deep the information security infrastructure of a company needs to be. As a result of this companies have gone for external certifications such as the ISMS (ISO 27001 by BSI) so that they have reputation and standing in the market.
Page 4 of 12
Again, for medium-sized and smaller organizations getting such certifications is a challenge. Firstly, their budgets do not allow such implementations and secondly because of the way their current systems are setup, it is very difficult to be able to change these systems to comply with the guidelines set forth by this certification. For example, to be able to centralize all identities from all applications running within an organization, to have a single audit trail of each and every identity, a centralized access control matrix is a difficult task. Also important is for companies to be able to grant relevant accesses to people automatically rather than by allowing de-centralized control of these decisions. Many organizations still follow the process where an employee’s hiring manager is responsible for making these decisions. A risk averse system would be one in which these accesses are automatically granted to relevant individuals with very little human intervention. Any human intervention that takes place should be under the wing of a risk management department within a company which can judge the impact of any change to the status quo of the access control matrix. Further, there should be external auditing enabled for these access controls by external agencies and results monitored by governments. This poses a great challenge for SME (small and medium enterprises) as well. To achieve this target, a highly controlled input of data is required (such as Human Resources which create an employee’s record on joining the company). Also is required is a very high stress on quality of data is being entered into the system since a small mistake can have a major impact to the organization’s security. For example, companies where employee accounts are manually controlled might fail to de-activate an employee’s account long after he/she has left the company. With the availability of company employee intranets over the internet and with high attrition faced by many organizations, a devious employee could easily retrieve confidential information – such as a company’s plan for a new product line, or a company’s new initiative against competition and make that information available to its competitors causing the company to actually lose profits. In conclusion, the chief issue around information security is the lack of awareness amongst employees, non-technology departments and leading management in a company. This is surmounted by the growing size of companies and the need for extremely complex enterprise solutions systems. Further, there is not enough support from the government in terms of enforcement or existence of technology-risk specific guidelines. Also, initiatives such as identity management can help companies save money and in some cases even make money. Therefore a lack of awareness of such initiatives is causing companies to incur heavy opportunity costs and putting them at competitive disadvantage.
Page 5 of 12
The Position and perspective
A
s is clear from the above discussion the chief reason for the lack of existence of security control systems revolves around awareness of information security. For people to feel the need for awareness, awareness of the need for information security awareness is required. For example, human resources in a company may not view information security as critically as would a person in technology – for the simple fact that they do not have the awareness about the potentially devastating effects their actions could have. The training and awareness issue can only be resolved by government controls, management focus and adequate training for all employees in a company. Internal certifications on information security should be made mandatory for employees within a company – as part of training for information security. The role of government is vital in the establishment of information security initiatives. Along the lines of Sarbanes Oxley (2002) in the USA, “J-SOX” – Japan’s Financial Instruments and Exchange Law will be effective from April 2008. This is causing Japanese financial services companies to standardize their information security processes and systems. This example highlights a trend towards government compliance in other parts of the world in the future and towards the fact that a government decision on information security can be very influential in pushing organizations towards implementation of effective controls. The ignorance and indifference displayed towards security is also portrayed by the article “Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” in Information Weeki. Lack of information security awareness not only causes direct impact such as breaches and the negative effects associated with that, but also causes users to become complacent about implementing security at all. This could lead to a vicious circle where lack of information security leads to further complacency towards learning about it – leading to a potentially dangerous situation. Further, with an organization’s employees uneducated about security, it becomes business unit leaders to take an initiative and hence the top management follows suits – it has a cascading effect. Information security awareness has to begin at the lowest level and needs to proliferate its way to the top management for any results. According to Jones, even though sixty percent of organizations reported an increase in security issues related to mobile corporate users over the last 12 months, most companies ignore security training. Further only 10% of the companies plan to implement security training over the next 12 months (according to the research from TNS Prognostics). In fact, the article also mentions that 90% of the companies who implemented information security awareness training have seen a reduction in the number of information security breaches. Besides the problem of lack of awareness amongst business leaders about the various technologies available, the devastating effects lack of information security, the potential savings that certain kinds of implementations can generate – business leaders also need to check their attitude towards information security and systems implementations in general. Not only are many executives unaware of the weak security that exists within their organizations, they are also unwilling to implement better security to protect their businesses unless they see a clearly tangible economic advantage in the effort. As described in the article “Info Security ‘from the Ground Up’” in Business Weekii, even though CEO’s have made considerable investments for security infrastructure following the September 11 attacks, they still view security as a sunk cost. That is, they do not find any real benefit to business from implementing security. Management Page 6 of 12
still needs to know (and measure) the economic benefits that would come of out implementation of enterprise information security system. The fact that information security implementations do offer economic benefits in savings (from potential law suits, bankruptcy, leakage of confidential information and fraudulent transactions) and in increasing productivity, efficiency and brand equity, it is still “hard” to sell information security to management. This brings out an underlying difference of opinion and perhaps the unwillingness of business leaders to learn about information security holistically. The problem could lie in the fact that the current information that is available is not easy to understand for a non-IT individual. As pointed out by Gary S. Miliefsky, one of the seven best information security practices is to deliver corporate security and awareness training and make it simple enough that an 8th grader can understand itiii. The problem could also exist in the way information security is presented to management. Unless all business unit leaders are involved in a security implementation initiative at a company, top management will not take notice of it. If each business unit leader is made aware of the potential benefits of security and the savings it could have for their unit, it would be easier to approach top management with support from senior management. Even though there is lack of security awareness amongst management in most industries, the financial services industry has a higher information security spend than other industries. It also employs latest technologies for protection of their information. Since the primary goal of a person trying to compromise security is money, financial services institutions become prime targets for such attempts. FSIs also have most of their operating data electronically available over the internet since customers directly deal with these companies using corporate portals. Further, financial service companies are able to write off information security expenses in linkages with business processes. The FSIs report the lowest cyber-crime rates amongst all industries and have employed technologies such as Identity Management and intrusion detection tools. According to “The Global State of Information Systems 2006” report by CIO, security executives still need to persuade top management to implement information securityiv. It might be easier for security executives working in the FSI as they can tangible measure the benefits from security implementations and the addition of value to shareholders. In fact, FSIs are one of the few industries which measure the result of information security implements in return on investment and in potential impact on revenue terms. Further, FSIs are governed by regulations such as the Sarbanes Oxley Act of 2002. The report further states that since regulations play such an important part in healthcare, government and education sectors as well, those too would employ high security. But that is not the case. The government and healthcare sectors benchmark themselves with other sectors (non FSI) to keep “abreast” of the information security trends. The above discussion in the report outlines two important results – firstly, companies still have “Security Executives” doing the “selling” work to top-management. Even though it might work in the FSI industry, it will not work as well in other industries where it is hard to justify the cost of implementation. Secondly, it shows that there is a problem of lack of awareness amongst all sectors of work – some which even need critical attention to security and do NOT have budget constraint problems – such as the government. There is either a lack of information security awareness in certain sectors or if the information is there, it is not understandable or it not tailored according to its audience. Even though information security currently affects the financial services industry with respect to government regulations, other industries will soon be impact by this. The lack of information security can have devastating impacts. For example, if a person higher up in the organization, Page 7 of 12
having accesses to very sensitive data about the organization is not careful about his access controls and/or standard security procedures he/she could inadvertently cause a breach. For example, a fund manager for a mutual fund company has relevant financial data on his system. While logging on to the corporate intranet, he is a victim of a phishing attack where his credentials are compromised and intercepted by a hacker helping a competitor. All information about the mutual fund which is being electronically shared would be compromised. If the manager was trained specifically for use of certain company systems, he/she could have followed certain checkpoints. For example, some companies have a unique token generated on the login page of sensitive software which is recognized only by the user – this is an attempt to foil phishing attacks. Since there are other sophisticated ways of extracting access credentials, companies are also moving towards token-based and bio-metric authentication measures as well. For example, some companies require certain employees to swipe their fingerprints over a read along with entering their access details into a system. This way, even if somebody is able to obtain the access details in text, without the bio-metric authentication access would be restricted to highly sensitive applications. Since bio-metrics may be considered too extreme for some cases (because of the cost involved and the complexity of implementation), other alternatives such as a physical token with a random number generator can also be employed. HSBC currently uses this technology for all its customers in Asia who hold their credit cards. Without a combination of a correct username, password and a random number generated every 30 seconds or so by the handheld token device a user is not allowed to gain access to the online system. Information security implementations not only protect companies from breach of security and loss of reputation, business, etc. but can also help companies save and in some cases actually make money if implemented in a proper and recommended fashion. Companies may lose large amount of money by facing lawsuits and by placating irate customers – both of which arise out of a breach in security. Companies may also go bankrupt if critical information reaches their competitors and they capitalize on a life-saving plan for a particular company. However, systems such as identity and access management in the information security domain can help companies generate and save money. For example, a simple IAM system which brings down the number of helpdesk calls related to password resets, say, can save some companies about 30% of their helpdesk costs. Further the lost employee productivity due to forgotten passwords, though immeasurable, also comes down and hence increases overall business productivity. By enabling robust security systems companies can also allow customers to directly interact with the company cutting down on costs of several physical layers which exist currently and enabling sophisticated automation. For example, customers may be able to purchase products such as health insurance directly online without actually interacting with anybody. This not only brings down costs of additional manpower but also enhances the customer experience thus leading to intangible benefits as well. Using systems for federation companies can drastically reduce transaction costs which would exist without it. Federation allows two companies to conduct business in a seamless fashion (with respect to connectivity) even though they are organized as two separate entities. This is useful when companies work on collaborative projects or when there are partial mergers for a particular project – as an entire revamp is not required in these cases.
Page 8 of 12
Recommendations
T
he first step towards implementing information security is to create awareness amongst top management of viewing information security spend not as a sunk cost but as an investment. Only if this awareness exists will business leaders take proactive steps towards implementation of such systems. Also, involvement of information security teams in critical business decisions is something that should be engrained in business leader’s minds. Information security can be effectively leveraged only if it is built into the systems and processes within a company rather than be treated as an additional function. It is best thought of as a “wrapper” for all systems and processes thereby allowing most efficient streamlining and robust and secure computing environments. To successfully make business leaders aware of information security and its advantages, the communication gap between top management and security professionals needs to be reduced. Also since business leaders are not involved directly in heading/managing information security initiatives, information security is usually less aligned than it can be from business objectives – leading to a greater gap of communication. Thus, business unit leaders and top management should actively be involved in heading information security projects and should make key decisions in this area – the implementation may be left to the security personnel. In addition to improvement in communication amongst various parties a corporate culture needs to be established which encourages computing in a threat-free environment. This will not only improve the attitude of a company’s employees towards security but also that of the top management. A company’s employees follow what the leaders have to say – only when security is demonstrated as a critical element by way of top-down pressure will it be taken as seriously as it should. Businesses also need to realize that information security is something that should be implemented as a proactive measure rather than a reactive one. For this there are numerous examples of mistakes made by other companies which have caused them millions of lost dollars along with severed reputations. To this effect, governmental regulations will help a lot. Therefore, in addition to corporate responsibility towards security measures, governmental support and enforcement should be made stringent and more detailed. Currently companies are certified by external agencies (ISMS/ISO27001). In future, the government could partner with these agencies and make these certifications mandatory for certain kinds of businesses. This will not only ensure that security is actually implemented – but will also send out a message to employees, customers, stakeholders and top management of other companies about how critical security is to a company’s success or failure. Since information security awareness is so critical, some of the possible specific steps that can be taken are outlined below: a) Top Management Buy In and Awareness: Top management needs to understand what the relevant business savings and cost advantages are of using information security systems. Currently enough material and/or training modules do not exist for measurement of benefits from security systems implementations. Since such information does not exist, it Page 9 of 12
is not easy for corporate leaders to imbibe purely technical information easily. Such information material and return measurement techniques and tools should be created which would then generate the relevant material and help create two kinds of knowledge – technical knowledge and implementation knowhow and business benefit knowledge, threat knowledge, understanding risk assessment, etc. b) Employee Training: apart from top management being aligned to a company’s security needs, the next most important entity is an organization’s employees. Most security breaches occur from within an organization – both intentional and unintentional. Incentivized training programs for employees should be incorporated within organizations. Mandatory internal certification programs should be organized and surprise internal audits should be conducted. Defaulters should be penalized to show seriousness. External security certifications (such as Certified Ethical Hacker and Cisco Security Certifications) can be offered to technical personnel within the company for free. This would serve a dual purpose – encourage employees to take these certifications and would help the company by creating a culture which is aligned to information security and of course, industry level security systems as well. Information security training should be imparted to employees in all departments – legal, HR, operations, IT, accounts and finance. This will ensure that the knowledge penetrates even non-technical verticals within a company. Employees should be made aware of the role they have to play in the security process. c) Stringent security policies: It is amazing that even after availability of the technical knowhow and the right tools – companies still don’t implement stringent security policies. Simple security policies such as non-allowance of default passwords and changing passwords every certain time interval does not require heavy investments – just the right mind-set towards security. Companies should take the technology that they already have and make optimal use of them. Also these policies should be strictly enforced. For example, if there is a certain process set around resetting forgotten password, it should be followed stringently. No compromise should be made on this process. Such measures will ensure that security policies are not just implemented but also enforced. d) Intrusion detection systems and auditing: Even though many organizations have certain kinds of information security systems implemented, rarely do organizations have documented breach control processes in place. Specific documentation should be put in place on effective handling of a situation in which a security breach arises. Specific people should be made accountable for handling these breaches in a streamlined fashion. Before breaches can be reported, intrusion detection systems should be put in place. While off-the-shelf products are available for this purpose in the network security arena, not many effective products are available for data security. In-house development or customized solutions should be put in place for intrusion detection. Further, auditing and reporting should be done and analyzed on a timely basis. Once such report could be maximum number of unique logins on a particular application from one desktop. Over several time periods this data would help recognize potentially malicious employees (or desktops being used) within an organization. Also, failed authentication attempts, unchanged passwords, maximum length of inactive sessions, etc. Such reports will help Page 10 of 12
identify users which are insensitive to security – both careless and those with malicious intent. Also, auditing will help maintain a trail of which actions were undertaken by which employees thereby making corrective action easier. These steps will ensure that the training imparted to employees was successfully absorbed and if need be, re-training should be conducted and/or penalties should be imposed.
Page 11 of 12
References
i
http://www.informationweek.com/showArticle.jhtml;jsessionid=C4SCFOM3W2ESQQSNDLPSKHSCJUNN2 JVN?articleID=202802456&queryText=information+security+awareness “Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” By K.C. Jones November 5, 2007 A report by The Computing Technology Industry Association describes that despite a rise in the security breaches related to mobile computing users (which is increasingly gaining popularity in IT/Consultancy sector companies) organizations are complacent about implementing information security or conducting awareness and training sessions for its employees. ii
http://www.businessweek.com/technology/content/apr2004/tc20040413_9762_tc146.htm?chan=search “Info Security ‘from the Ground Up’” By Alex Salkever April 13, 2004 Many CEO’s have taken attention to information security post the September 11 attacks and have invested considerable amount of resources and money towards this initiative. However, they are still following the “reactive” method of information security awareness and do not take an active stand on it. Security spending is still viewed by management as only a cost without any real benefit to core business. This article demonstrates a clear lack of understanding of information security and its benefits on the part of management leaders. iii
http://www.networkworld.com/columnists/2007/011707miliefsky.html “The 7 best practices for network security in 2007” By Gary S. Miliefsky January, 17, 2007 This article describes ways to improve information security within an organization by providing 7 best practices as guidelines which corporations could follow to develop their own guidelines. Even though it doesn’t directly describe the current knowledge about information security awareness, it does make the reader aware of the current state of affairs in organizations with respect to information security by mentioning the attitudes of people in organizations and the kind of steps that are required to implement it. iv
http://www.cio.com/article/24979/The_Global_State_of_Information_Security_/6 “The Global State of Information Security 2006” By Allan Holmes September 15, 2006 This article is a report on the global state of information security in 2006. It has a section on information security which highlights the current state of information security and awareness in various sectors such as finance, education, healthcare and public. It draws an important argument in support for the fact that management is only concerned with economic benefit from information security rather than a long-term approach to running a business efficiently and securely.
Page 12 of 12
November 26, 2007
University of Pittsburgh
Information Security has increasingly become a critical IS management issue amongst businesses. Majority of the problem arises because of lack of proper understanding amongst business and IT leaders of negative effects of lack of information security…
Author: Saahil Goel
Executive Summary
I
nformation is the lifeblood of almost every organization in today’s electronic communication oriented world. IT has changed its position drastically from once being a support function to becoming the chief business driver. Even though information systems are so heavily relied upon by businesses, the same kind of importance is not given to securing this information. While it seems obviously logical to protect information which is so sensitive to the workings of many companies, in reality many companies do not consider information protection to be a critical issue. Most of the issue exists because of the attitude that business leaders and decision-makers have towards information security implementation initiatives. Most business leaders view information security as a purely IT initiative rather than a company-wide one. Further, ignorance about the devastating effects that lack of information security can have further exacerbates the problem. By not investing in spreading (and learning) information security awareness, businesses expose themselves to various risks – such as lawsuits, loss of customer trust, loss of business, loss of sensitive information to competitors, etc. Business leaders need to understand that information security is as important as obtaining the information in the first place. This is especially relevant for businesses in the financial services industry. Companies in the FSI sector have sensitive customer information, loss of which not only affects the reputation of the company but may also cause actual financial losses to the customer. Also, because most transactions are electronic in the current banking environment, a hole in boundary protecting information can cause a lot of damage. Businesses need to make sure that information security decisions go hand in hand with all business decisions. For example, if a company is undergoing a merger with another company, it becomes imperative that information security considerations are given as much importance as is given to the actual consolidation of transactional and profile data from both companies. Also business leaders need to be made responsible and accountable for heading information security initiatives in companies rather than this responsibility being solely in the reigns of the information technology departments. Information security training is also something companies are embracing. However the rate of adoption is not very encouraging. Top management needs to ensure that in addition to learning about information security themselves, they also make the need for following stringent procedures and policies felt within their companies - right from the top to the bottom-most employees in a company. The threat posed by leakage of information can happen at any vertical in an organization; it is up to the business leaders to make sure that their attitude and their decisions support their organization’s ability to counter this threat at all levels. Not only should robust and technically advanced information security technology be implemented, it should be kept current and should be utilized to its maximum potential. Not only can information security implementations help companies prevent disasters that may be caused by information compromises, it can also help them save money and in some cases provide them with opportunities for additional business.
Page 2 of 12
The Issue, context and motivation
B
y and large, every organization has had their share of breach of information security. Information security breaches can be both internal and external – the former being the more dangerous kind. Internal breaches are of a higher concern since the attacker (or hacker) will have relevant information about the company and will know where the loop-holes exist. Other cases in which breaches arise could also be unintentional. In fact, awareness about information security is the key to reducing if not eliminating losses caused by compromise in security. Employers must take on the responsibility of training their employees about the possible effects of irresponsibility on their (employees) part towards following security guidelines. Further, business board members themselves need to be aware about the potential consequences of information security violations can have. With strong government regulations around security in organizations, such as Sarbanes Oxley 2002, organizations have taken measures to comply with regulation. However, awareness and a drive to protect information are still lacking. Organizations have been taking the reactive approach to solving information security problems rather than a proactive one. This is harmful in the long run for organizations. For example: all financial services companies, such as banks, insurance, trading companies, etc. maintain all their customer data online. If this information was to get in the wrong hands, the company could face a severely hurt reputation, lack of trust from its customers, lawsuits or even bankruptcy. Apart from saving a company from these troubles, a well implemented information security system also adds value to companies by providing cost benefits by enabling efficiency in the workplace. From the “2007 Global Security Survey” conducted by Deloitte Consulting LLP, 71% to 89% financial services companies across the globe feel that security has risen to the attention of the corporate board members as a critical area of business. However, only 0% to 18% financial services companies reported that their information security strategy is led and embraced by line and functional business leaders. Hence, information security is currently regarded purely a technology initiative. The real challenge with information security is that of spreading awareness and concern about information security to the business leaders in every organization so that it is given key importance in business functioning. Further, with increase in volume of businesses – both vertically and horizontally, complexity of technology and enterprise solutions and the global nature of the economy also lead to highly complex information security requirements and the risks that come along with not implementing the same. Information security is one aspect of technology and risk management which affects all organizations. Even though it might affect some organizations more than others (banks, insurance, government, universities, aviation, logistics, stock trading, online retailing) eventually it will have major impact on all kinds of organizations. In fact, governments in many countries other than the USA have not taken deep initiatives to move towards e-governance and electronic citizen maintenance yet – but it is imperative that at some point they will. To take an example even within the USA, there is discussion about digitizing all health records across all hospitals and universities in the United States to better serve patients and to make medical research easier Page 3 of 12
by collaborative knowledge sharing. This initiative will require strict security controls as any intended/unintended tampering/modification to information in this situation could mean the difference between life and death. Of all the issues related to information security, Identity and Access Management is usually considered one of the key issues from an organizational view point. According to Deloitte’s survey mentioned above, the top five initiatives of financial services organizations are Identity and Access Management, Security and Regulatory Compliance, Security training for awareness, governance for security and disaster recovery and business continuity. Identity and Access Management will become all the more important and difficult with governments implementing systems to authenticate citizens using centralized stores of database. Already governmental organizations such as the Federal Bureau of Investigation and Central Intelligence Agency have centralized and highly secure databases of information on criminal activity across the world. Within organizations information security (particularly identity and access management) is difficult to implement thoroughly mostly because of awareness and training. For example, even though a company’s IT department would drive management towards implementation of such a system, unless management sees a potential cost-saving such an initiative, they are not too supportive of it. This mindset needs to change. Top-level management needs to be more aware about the potential risks that they are open to and should openly adopt technology to secure them from this risk. Another difficulty arises because of the complexity and scope of information security systems. Before Sarbanes Oxley was enforced, most organizations worked with multiple systems (sometimes hundreds) having multiple digital identities. The digital identities were human controlled and de-centralized to various systems. As a result, people could have accesses to resources which should be normally restricted. Sometimes this was a result of pure carelessness human error. At other times, it was fueled by malicious intentions. To further illustrate the problem of accurate role definition with respect to digital identities consider this example - a system administrator, who is relatively low in the organizational hierarchy as compared to the sensitivity of the information being protected, had all the rights in the world to go into any system and grant anyone any access. This particular example illustrates that information security troubles need to be captured at the root level. In some companies this may even mean organizational re-structuring. Some companies who were converting to digital information security systems post SOX, even proper audit trails were not in place. This gave rise to many information security breaks and leaks – some which even went unreported. As a result of Sarbanes Oxley, organizations scrambled to secure their information and infrastructure. While larger corporations are able to do this by investing huge amounts of capital in enterprise wide systems which help efficient implementations of technology risk management solutions, many of the smaller companies compromised with self-built systems which are not long lasting nor provide any value addition to the companies. Even though technology risk management, information security, identity management and privacy are recognized as issues of importance by the government and some business leaders, there are no concrete guidelines in place on how deep the information security infrastructure of a company needs to be. As a result of this companies have gone for external certifications such as the ISMS (ISO 27001 by BSI) so that they have reputation and standing in the market.
Page 4 of 12
Again, for medium-sized and smaller organizations getting such certifications is a challenge. Firstly, their budgets do not allow such implementations and secondly because of the way their current systems are setup, it is very difficult to be able to change these systems to comply with the guidelines set forth by this certification. For example, to be able to centralize all identities from all applications running within an organization, to have a single audit trail of each and every identity, a centralized access control matrix is a difficult task. Also important is for companies to be able to grant relevant accesses to people automatically rather than by allowing de-centralized control of these decisions. Many organizations still follow the process where an employee’s hiring manager is responsible for making these decisions. A risk averse system would be one in which these accesses are automatically granted to relevant individuals with very little human intervention. Any human intervention that takes place should be under the wing of a risk management department within a company which can judge the impact of any change to the status quo of the access control matrix. Further, there should be external auditing enabled for these access controls by external agencies and results monitored by governments. This poses a great challenge for SME (small and medium enterprises) as well. To achieve this target, a highly controlled input of data is required (such as Human Resources which create an employee’s record on joining the company). Also is required is a very high stress on quality of data is being entered into the system since a small mistake can have a major impact to the organization’s security. For example, companies where employee accounts are manually controlled might fail to de-activate an employee’s account long after he/she has left the company. With the availability of company employee intranets over the internet and with high attrition faced by many organizations, a devious employee could easily retrieve confidential information – such as a company’s plan for a new product line, or a company’s new initiative against competition and make that information available to its competitors causing the company to actually lose profits. In conclusion, the chief issue around information security is the lack of awareness amongst employees, non-technology departments and leading management in a company. This is surmounted by the growing size of companies and the need for extremely complex enterprise solutions systems. Further, there is not enough support from the government in terms of enforcement or existence of technology-risk specific guidelines. Also, initiatives such as identity management can help companies save money and in some cases even make money. Therefore a lack of awareness of such initiatives is causing companies to incur heavy opportunity costs and putting them at competitive disadvantage.
Page 5 of 12
The Position and perspective
A
s is clear from the above discussion the chief reason for the lack of existence of security control systems revolves around awareness of information security. For people to feel the need for awareness, awareness of the need for information security awareness is required. For example, human resources in a company may not view information security as critically as would a person in technology – for the simple fact that they do not have the awareness about the potentially devastating effects their actions could have. The training and awareness issue can only be resolved by government controls, management focus and adequate training for all employees in a company. Internal certifications on information security should be made mandatory for employees within a company – as part of training for information security. The role of government is vital in the establishment of information security initiatives. Along the lines of Sarbanes Oxley (2002) in the USA, “J-SOX” – Japan’s Financial Instruments and Exchange Law will be effective from April 2008. This is causing Japanese financial services companies to standardize their information security processes and systems. This example highlights a trend towards government compliance in other parts of the world in the future and towards the fact that a government decision on information security can be very influential in pushing organizations towards implementation of effective controls. The ignorance and indifference displayed towards security is also portrayed by the article “Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” in Information Weeki. Lack of information security awareness not only causes direct impact such as breaches and the negative effects associated with that, but also causes users to become complacent about implementing security at all. This could lead to a vicious circle where lack of information security leads to further complacency towards learning about it – leading to a potentially dangerous situation. Further, with an organization’s employees uneducated about security, it becomes business unit leaders to take an initiative and hence the top management follows suits – it has a cascading effect. Information security awareness has to begin at the lowest level and needs to proliferate its way to the top management for any results. According to Jones, even though sixty percent of organizations reported an increase in security issues related to mobile corporate users over the last 12 months, most companies ignore security training. Further only 10% of the companies plan to implement security training over the next 12 months (according to the research from TNS Prognostics). In fact, the article also mentions that 90% of the companies who implemented information security awareness training have seen a reduction in the number of information security breaches. Besides the problem of lack of awareness amongst business leaders about the various technologies available, the devastating effects lack of information security, the potential savings that certain kinds of implementations can generate – business leaders also need to check their attitude towards information security and systems implementations in general. Not only are many executives unaware of the weak security that exists within their organizations, they are also unwilling to implement better security to protect their businesses unless they see a clearly tangible economic advantage in the effort. As described in the article “Info Security ‘from the Ground Up’” in Business Weekii, even though CEO’s have made considerable investments for security infrastructure following the September 11 attacks, they still view security as a sunk cost. That is, they do not find any real benefit to business from implementing security. Management Page 6 of 12
still needs to know (and measure) the economic benefits that would come of out implementation of enterprise information security system. The fact that information security implementations do offer economic benefits in savings (from potential law suits, bankruptcy, leakage of confidential information and fraudulent transactions) and in increasing productivity, efficiency and brand equity, it is still “hard” to sell information security to management. This brings out an underlying difference of opinion and perhaps the unwillingness of business leaders to learn about information security holistically. The problem could lie in the fact that the current information that is available is not easy to understand for a non-IT individual. As pointed out by Gary S. Miliefsky, one of the seven best information security practices is to deliver corporate security and awareness training and make it simple enough that an 8th grader can understand itiii. The problem could also exist in the way information security is presented to management. Unless all business unit leaders are involved in a security implementation initiative at a company, top management will not take notice of it. If each business unit leader is made aware of the potential benefits of security and the savings it could have for their unit, it would be easier to approach top management with support from senior management. Even though there is lack of security awareness amongst management in most industries, the financial services industry has a higher information security spend than other industries. It also employs latest technologies for protection of their information. Since the primary goal of a person trying to compromise security is money, financial services institutions become prime targets for such attempts. FSIs also have most of their operating data electronically available over the internet since customers directly deal with these companies using corporate portals. Further, financial service companies are able to write off information security expenses in linkages with business processes. The FSIs report the lowest cyber-crime rates amongst all industries and have employed technologies such as Identity Management and intrusion detection tools. According to “The Global State of Information Systems 2006” report by CIO, security executives still need to persuade top management to implement information securityiv. It might be easier for security executives working in the FSI as they can tangible measure the benefits from security implementations and the addition of value to shareholders. In fact, FSIs are one of the few industries which measure the result of information security implements in return on investment and in potential impact on revenue terms. Further, FSIs are governed by regulations such as the Sarbanes Oxley Act of 2002. The report further states that since regulations play such an important part in healthcare, government and education sectors as well, those too would employ high security. But that is not the case. The government and healthcare sectors benchmark themselves with other sectors (non FSI) to keep “abreast” of the information security trends. The above discussion in the report outlines two important results – firstly, companies still have “Security Executives” doing the “selling” work to top-management. Even though it might work in the FSI industry, it will not work as well in other industries where it is hard to justify the cost of implementation. Secondly, it shows that there is a problem of lack of awareness amongst all sectors of work – some which even need critical attention to security and do NOT have budget constraint problems – such as the government. There is either a lack of information security awareness in certain sectors or if the information is there, it is not understandable or it not tailored according to its audience. Even though information security currently affects the financial services industry with respect to government regulations, other industries will soon be impact by this. The lack of information security can have devastating impacts. For example, if a person higher up in the organization, Page 7 of 12
having accesses to very sensitive data about the organization is not careful about his access controls and/or standard security procedures he/she could inadvertently cause a breach. For example, a fund manager for a mutual fund company has relevant financial data on his system. While logging on to the corporate intranet, he is a victim of a phishing attack where his credentials are compromised and intercepted by a hacker helping a competitor. All information about the mutual fund which is being electronically shared would be compromised. If the manager was trained specifically for use of certain company systems, he/she could have followed certain checkpoints. For example, some companies have a unique token generated on the login page of sensitive software which is recognized only by the user – this is an attempt to foil phishing attacks. Since there are other sophisticated ways of extracting access credentials, companies are also moving towards token-based and bio-metric authentication measures as well. For example, some companies require certain employees to swipe their fingerprints over a read along with entering their access details into a system. This way, even if somebody is able to obtain the access details in text, without the bio-metric authentication access would be restricted to highly sensitive applications. Since bio-metrics may be considered too extreme for some cases (because of the cost involved and the complexity of implementation), other alternatives such as a physical token with a random number generator can also be employed. HSBC currently uses this technology for all its customers in Asia who hold their credit cards. Without a combination of a correct username, password and a random number generated every 30 seconds or so by the handheld token device a user is not allowed to gain access to the online system. Information security implementations not only protect companies from breach of security and loss of reputation, business, etc. but can also help companies save and in some cases actually make money if implemented in a proper and recommended fashion. Companies may lose large amount of money by facing lawsuits and by placating irate customers – both of which arise out of a breach in security. Companies may also go bankrupt if critical information reaches their competitors and they capitalize on a life-saving plan for a particular company. However, systems such as identity and access management in the information security domain can help companies generate and save money. For example, a simple IAM system which brings down the number of helpdesk calls related to password resets, say, can save some companies about 30% of their helpdesk costs. Further the lost employee productivity due to forgotten passwords, though immeasurable, also comes down and hence increases overall business productivity. By enabling robust security systems companies can also allow customers to directly interact with the company cutting down on costs of several physical layers which exist currently and enabling sophisticated automation. For example, customers may be able to purchase products such as health insurance directly online without actually interacting with anybody. This not only brings down costs of additional manpower but also enhances the customer experience thus leading to intangible benefits as well. Using systems for federation companies can drastically reduce transaction costs which would exist without it. Federation allows two companies to conduct business in a seamless fashion (with respect to connectivity) even though they are organized as two separate entities. This is useful when companies work on collaborative projects or when there are partial mergers for a particular project – as an entire revamp is not required in these cases.
Page 8 of 12
Recommendations
T
he first step towards implementing information security is to create awareness amongst top management of viewing information security spend not as a sunk cost but as an investment. Only if this awareness exists will business leaders take proactive steps towards implementation of such systems. Also, involvement of information security teams in critical business decisions is something that should be engrained in business leader’s minds. Information security can be effectively leveraged only if it is built into the systems and processes within a company rather than be treated as an additional function. It is best thought of as a “wrapper” for all systems and processes thereby allowing most efficient streamlining and robust and secure computing environments. To successfully make business leaders aware of information security and its advantages, the communication gap between top management and security professionals needs to be reduced. Also since business leaders are not involved directly in heading/managing information security initiatives, information security is usually less aligned than it can be from business objectives – leading to a greater gap of communication. Thus, business unit leaders and top management should actively be involved in heading information security projects and should make key decisions in this area – the implementation may be left to the security personnel. In addition to improvement in communication amongst various parties a corporate culture needs to be established which encourages computing in a threat-free environment. This will not only improve the attitude of a company’s employees towards security but also that of the top management. A company’s employees follow what the leaders have to say – only when security is demonstrated as a critical element by way of top-down pressure will it be taken as seriously as it should. Businesses also need to realize that information security is something that should be implemented as a proactive measure rather than a reactive one. For this there are numerous examples of mistakes made by other companies which have caused them millions of lost dollars along with severed reputations. To this effect, governmental regulations will help a lot. Therefore, in addition to corporate responsibility towards security measures, governmental support and enforcement should be made stringent and more detailed. Currently companies are certified by external agencies (ISMS/ISO27001). In future, the government could partner with these agencies and make these certifications mandatory for certain kinds of businesses. This will not only ensure that security is actually implemented – but will also send out a message to employees, customers, stakeholders and top management of other companies about how critical security is to a company’s success or failure. Since information security awareness is so critical, some of the possible specific steps that can be taken are outlined below: a) Top Management Buy In and Awareness: Top management needs to understand what the relevant business savings and cost advantages are of using information security systems. Currently enough material and/or training modules do not exist for measurement of benefits from security systems implementations. Since such information does not exist, it Page 9 of 12
is not easy for corporate leaders to imbibe purely technical information easily. Such information material and return measurement techniques and tools should be created which would then generate the relevant material and help create two kinds of knowledge – technical knowledge and implementation knowhow and business benefit knowledge, threat knowledge, understanding risk assessment, etc. b) Employee Training: apart from top management being aligned to a company’s security needs, the next most important entity is an organization’s employees. Most security breaches occur from within an organization – both intentional and unintentional. Incentivized training programs for employees should be incorporated within organizations. Mandatory internal certification programs should be organized and surprise internal audits should be conducted. Defaulters should be penalized to show seriousness. External security certifications (such as Certified Ethical Hacker and Cisco Security Certifications) can be offered to technical personnel within the company for free. This would serve a dual purpose – encourage employees to take these certifications and would help the company by creating a culture which is aligned to information security and of course, industry level security systems as well. Information security training should be imparted to employees in all departments – legal, HR, operations, IT, accounts and finance. This will ensure that the knowledge penetrates even non-technical verticals within a company. Employees should be made aware of the role they have to play in the security process. c) Stringent security policies: It is amazing that even after availability of the technical knowhow and the right tools – companies still don’t implement stringent security policies. Simple security policies such as non-allowance of default passwords and changing passwords every certain time interval does not require heavy investments – just the right mind-set towards security. Companies should take the technology that they already have and make optimal use of them. Also these policies should be strictly enforced. For example, if there is a certain process set around resetting forgotten password, it should be followed stringently. No compromise should be made on this process. Such measures will ensure that security policies are not just implemented but also enforced. d) Intrusion detection systems and auditing: Even though many organizations have certain kinds of information security systems implemented, rarely do organizations have documented breach control processes in place. Specific documentation should be put in place on effective handling of a situation in which a security breach arises. Specific people should be made accountable for handling these breaches in a streamlined fashion. Before breaches can be reported, intrusion detection systems should be put in place. While off-the-shelf products are available for this purpose in the network security arena, not many effective products are available for data security. In-house development or customized solutions should be put in place for intrusion detection. Further, auditing and reporting should be done and analyzed on a timely basis. Once such report could be maximum number of unique logins on a particular application from one desktop. Over several time periods this data would help recognize potentially malicious employees (or desktops being used) within an organization. Also, failed authentication attempts, unchanged passwords, maximum length of inactive sessions, etc. Such reports will help Page 10 of 12
identify users which are insensitive to security – both careless and those with malicious intent. Also, auditing will help maintain a trail of which actions were undertaken by which employees thereby making corrective action easier. These steps will ensure that the training imparted to employees was successfully absorbed and if need be, re-training should be conducted and/or penalties should be imposed.
Page 11 of 12
References
i
http://www.informationweek.com/showArticle.jhtml;jsessionid=C4SCFOM3W2ESQQSNDLPSKHSCJUNN2 JVN?articleID=202802456&queryText=information+security+awareness “Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training” By K.C. Jones November 5, 2007 A report by The Computing Technology Industry Association describes that despite a rise in the security breaches related to mobile computing users (which is increasingly gaining popularity in IT/Consultancy sector companies) organizations are complacent about implementing information security or conducting awareness and training sessions for its employees. ii
http://www.businessweek.com/technology/content/apr2004/tc20040413_9762_tc146.htm?chan=search “Info Security ‘from the Ground Up’” By Alex Salkever April 13, 2004 Many CEO’s have taken attention to information security post the September 11 attacks and have invested considerable amount of resources and money towards this initiative. However, they are still following the “reactive” method of information security awareness and do not take an active stand on it. Security spending is still viewed by management as only a cost without any real benefit to core business. This article demonstrates a clear lack of understanding of information security and its benefits on the part of management leaders. iii
http://www.networkworld.com/columnists/2007/011707miliefsky.html “The 7 best practices for network security in 2007” By Gary S. Miliefsky January, 17, 2007 This article describes ways to improve information security within an organization by providing 7 best practices as guidelines which corporations could follow to develop their own guidelines. Even though it doesn’t directly describe the current knowledge about information security awareness, it does make the reader aware of the current state of affairs in organizations with respect to information security by mentioning the attitudes of people in organizations and the kind of steps that are required to implement it. iv
http://www.cio.com/article/24979/The_Global_State_of_Information_Security_/6 “The Global State of Information Security 2006” By Allan Holmes September 15, 2006 This article is a report on the global state of information security in 2006. It has a section on information security which highlights the current state of information security and awareness in various sectors such as finance, education, healthcare and public. It draws an important argument in support for the fact that management is only concerned with economic benefit from information security rather than a long-term approach to running a business efficiently and securely.
Page 12 of 12
Related Documents
Saahil Goel Industry Profile
December 2019 18
Information Technology Security Awareness
June 2020 7
Information Security Management System
July 2020 45