- What is the cost of being victim of a cyber attack? - 19/03/2019
- Sensitive medical data exposed to Internet - 20/02/2019
- Password re-use reflections from Passwordscon 2018 - 21/11/2018
Security investments is often seen as buying either hardware or software to protect our assets, both physical and logical, often this is not enough to ensure that we achieve the security levels we seek. The missing part of the investments is often in building knowledge, culture and understanding.
If we provide people with valuable assets, such as information, we must also provide them with the knowledge of the value of the asset and the ability to protect to asset accordingly to set demands. This is true both for the ones handling the asset and the people employed to protect the asset.
Stepping out of the IT world we can see that safety when done properly consist of both investments in equipment combined with training, one area is fire safety, installation of a fire alarm is not enough if no one knows what to do when the alarm goes off. The observant reader may say that it is obvious what to do when the fire alarm goes off, which is true and is a attributed to our security culture where we as children often where taught that we need to evacuate the building if the fire alarm goes off.
This cultural behavior combined with regular fire drills ensures that everyone knows what to do, added with the incentive that your own life may be at stake if you do not react on the alarm.
Our security culture ensures that we act on fire alarms.
Moving that back into IT security there is a need to build a solid security culture to ensure that all security alarms and/or indications on security incidents is attended to with the correct skillset to determine what actions is needed.
Taking real world example of a security breach we can see that investments is often made in equipment and software without ensuring that the security culture is in place. The following information is taken from public sources and may not be the whole picture of the specific incident, the breach is chosen due to the publication it have been given.
In the U.S 40 million credit card numbers were stolen from the Target retail group, the IT infrastructure where equipped with state of the art software to scan all in and outbound traffic, this software did detect anomalies on the network that got reported to the security analyst team via IT operations. Although no action was taken to stop the threat.
No action was taken to stop the threat.
If we look back at the fire alarm, if the same organization would have had a fire alarm set off they would have evacuated the building and then investigated if there was a fire or if it only was a false alarm. This due to that we have this knowledge in our security culture bag. The same would have happened in the IT world if we had the same training in IT security culture, then the security analysts would have ensured to investigate the incident and if it was not oblivious a false alarm stopped the affected systems or at least blocked certain traffic flows, and then made a more robust investigation and chosen what action to take to mitigate the security breach.
If we look at the cost, which is often an important part when deciding which investments to make, the software used in the Target case is priced around at least 50 000 to 100 000 USD per year for the size needed in the Target environment, again information taken from public sources. Adding on 5 to 10 % of that cost in investment of security culture gives a security culture program that can cover both the specific usage of the tool and how to react to alarms, but also more valuable and important an investment in generic security culture, on how to react to any security alarm and/or indication of a security breach.
In a modern IT infrastructure the tool mentioned is only one of many tools used to secure IT environments. Adding up the sum of all the tools shows that investment in security culture is only a fraction in cost compared to other investments in security, giving a big return on investment.
Security Culture can be built using only a fraction of the IT security budget
Using the Security Culture Framework when investing in security culture enables organizations to focus on giving every department training adapted to their needs, ensuring that everyone in the organization has the correct skill to protect the sensitive information that they are managing in their everyday activities.