In the September print issue we featured LISTEN, a London-based e-mail group for security managers. In October’s: SASIG.
The Security Awareness Special Interest Group is a free quarterly networking forum for those who have an interest in, or a responsibility for, raising awareness about all aspects of security in their organisations.
It offers an opportunity to listen to guest speakers, to discuss successful practices and solutions, and to take part in workshops. The September meeting for example was titled ‘It’s the Way You Tell ’Em’ about various ways to make awareness messages "sticky" and memorable, including the language used and the delivery mechanisms. SASIG was founded by Martin Smith, Managing Director of The Security Company (International). He says: “I’m a traditional security manager. I learned my trade in the RAF, and have been in the business now for more than 30 years. In all that time, I have yet to come across any truly sophisticated crime, even in the arena of computer security. The criminal will always take the simplest route to the riches. Rarely does an attack come from the outside – it is invariably via someone with authorised access, either directly or through subversion or coercion. The crook will take advantage of human failings to find a way through the defences. Furthermore, security breaches and frauds invariably involve the blindingly obvious. Simple human error, ignorance or omission is most commonly at the route of all trouble."
Sensitised
He suggests most of us are now much more sensitised to the need for greater security in our working and private lives. "Terrorism, rising levels of violent crime, ID theft, social engineering, child exploitation on the internet – these are all impacting our families and our everyday lives. Most of us are looking for ways in which to be safer and more secure – at work, while travelling, and at play. We are happy to follow rules but can only do so when such rules have been brought to our attention and explained." Martin gained a degree in behavioural psychology before spending 15 years in the Royal Air Force, firstly as a pilot and then assigned to counter-espionage and counter-terrorism duties in east and west Europe. He was awarded the MBE. He left for a second career in the commercial sector. He joined Touche Ross Management Consultants before becoming Senior Director of Corporate Security for Kroll Associates (UK). He then joined Standard Chartered Bank as Head of Information Security before forming in 1997 his own specialist consultancy. He is an after-dinner speaker and the owner of several classic British cars which he uses as his everyday transport.
Backsides covered
"I feel compelled to voice what others may be thinking but are reluctant to say. In many ways, I believe the security industry is letting down its clients – that is, the business manager and the worker. Too often, our solutions are designed simply to cover our own backsides rather than improve security, and we lose credibility and the support of our audience. The recent hysteria over air travel is a good example. Too often, we are tempted into exotic solutions, developing ever more complicated answers to increasingly obscure threats. We focus on brain surgery while the patient dies of the common cold."
Raising awareness
Martin regularly quotes the statistic that "98 per cent of all security breaches and exploits target known vulnerabilities…" In other words, he says: "…98 per cent of the kiddies who die in Africa die because of the lack of fresh drinking water. We know what’s going to go wrong but we just fail to do anything about stopping it. This is unforgivable.” He believes that – pound for pound – raising awareness amongst employees will do far more to improve security than any technical solution can ever hope to achieve. But even today, he says, security awareness enjoys far too little attention in most security management plans. “Our aim is to change this, and – through the SASIG – to help you to make the size of your security department the same as the size of your company’s entire work-force.” But in the modern market-place things are even more complicated. "Most of us are no longer are insulated from the rest of the business community. Increasingly we are extending our enterprises to include our suppliers, customers and business partners. As the corporate boundaries fall, so the need for security and fraud prevention increases if we are not to lose control over our own resources."
Complacency
There is a long way to go. “There is enormous complacency amongst most workforces towards any aspect of security or fraud prevention, and this is particularly true amongst senior business managers where the example should be set. Then, those aspects of security that have been introduced tend to encourage a false sense of security amongst the workforce. There is a key on the door, so anyone inside must be OK. If it has a password, then it’s safe (no matter how many others you share that password with!) There has been little success to date in ‘selling’ security within the organisation. It remains an abstract topic, someone else’s problem, despite the fact that it is essential to business stability and growth. Too often, technical solutions are prescribed for people problems. No lock in the world is worth a jot if the users pass round keys to anyone. No medicine is ever going to work unless the patient takes it."
Growing up to do
Is the message getting through? The evidence does not look good, he says. Looking back over some 20 years’ worth of surveys and reports into frauds and security breaches and the status of security generally, Martin says that a trend comes through: "To me, the results of all these surveys make depressing reading. It is clear that security and fraud prevention has still a lot of growing up left to do. We are making good progress at last, but the need to communicate simple security messages throughout the workforce is still set low on their list of priorities by many professional security managers." Martin maintains that rarely does security and fraud prevention awareness receive the attention it deserves. “I believe it to be essential that we apply professional internal marketing and change management techniques to the security and fraud prevention message. We have all met those who can sell us things we had never previously heard of, who can change our behaviour fundamentally, and who can profoundly influence our attitudes on a range of subjects. For goodness’ sake, they nearly got me to vote Labour in the last election! The security industry needs to embrace these techniques; other corporate functions have been using them for years to great advantage and it is time we did too." Change management need not be expensive or complicated. Internal marketing can be cheap and simple yet still be enormously effective. Creating a true security and fraud prevention culture will take time and is best done in small steps, but real improvements in overall standards of security and a genuine reduction in levels of fraud can be made quickly and with little pain. Effectively communicating simple security messages through a number of channels, most of which will probably already exist, will stem many of the dangerous weaknesses in our defences, he says.
About SASIG
SASIG meetings are organised by The Security Company (International) and hosted by Reuters in their Docklands offices; no charge for attendance. "Everyone is welcome," Martin says. "We want to encourage debate and to spread knowledge about this vital topic. We like to examine ways to replace the existing typical cycle of annual security training via face-to-face presentations or CBT – pushed to busy staff who deal with it as an annoyance and often take only a small amount of knowledge away with them – with a gradual shift towards cultural, cognitive awareness of security."
