Putting across data protection messages to staff takes more than fluffy stick-on bugs, pens or drinks mats, an author in the field has argued.
A book with ideas on how to get the right security culture to better protect data is Information Security and Employee Behaviour, by Angus McIlwraith, and reviewed in our April 2006 issue.
There is no magic bullet to deal with information security issues, according to Angus McIlwraith, though he does go into some detail about, for instance, what media to use (such as posters) and where and when to use them. How do you encourage, cajole or threaten, people to handle information properly? “Many people confuse awareness with publicity,and think that a yearly roadshow or the production of a mouse mat with a slogan printed on it will meet the bill: they will not.” He suggested that the security person has to work on (non-security staff) attitudes and perceptions, the things that drive behaviour. A majority of infosecurity incidents, he argued, are due to ignorant users or ‘the incurably stupid’. He wrote: “The work we are involved in crosses a large number of disciplines and fields, and we have, in order to be successful, to operate in many of them. You need to appreciate that an information security infrastructure is more than network links, servers and software. It includes buildings, documents and, most importantly, people. Messing up when you address people issues will make your professional life a lot more difficult.” For instance, firewalls and other IT security to protect data from outside attack are necessary; but so too are recruitment procedures and control over contractors and temps. As McLwraith summed up: “The majority of errors, security incidents and disasters have, as part of their foundation, an assumption. This assumption is normally a variant on ‘it ’ll never appen to me’. Remember that even the most experienced of professionals can make errors of epic proportions. Never assume that staff of great experience and competence cannot be subject to human foibles – they are and will continue to be.”
Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness, published 2006 by Gower, 176 pages, hardback, £55. For details and a chapter download, visit www.gowerpub.com. To contact McIlwraith, visit www.ormconsulting.co.uk