“Human Resources Departments are key to information security” states SANS Institute

Posted On 12 Sep 2014
Comment: Off

In tandem with European Cyber Security Awareness Month, Lance Spitzner (director at the SANS Institute) suggests that Human Resources Departments have a critical role to play in helping their organisations improve information security procedures.” Organisations are beginning to realise that they have to secure the human element as technology can only go so far,” explained Spitzner, an internationally recognised leader in the field of cyber threat research and security training and awareness.” As long as individuals store, process or transfer information then they too must be secured. One of the most effective ways in which to secure employees is to change their behaviours through an active, longer term security awareness programme.” Spitzner (who has spoken to and worked with numerous organisations including the NSA, FIRST, the Pentagon, the FBI Academy, the US President’s Telecommunications Advisory Committee, MS-ISAC, the Navy War College and the CESG in Britain) suggests that, based on the available evidence, it’s extremely likely every large organisation will experience an information security breach at some point in time. According to the influential Data Breach Investigation Report which has examined over 100,000 security breaches across the last decade, 81% of the incidents charted can be described by just four root causes: miscellaneous errors (27%), insider misuse (19%), crimeware (19%) and physical theft/loss (16%). The main threat comes from human error, such as someone accidentally posting private data to a public site, sending information to the wrong recipients or failing to dispose of documents or assets in a secure manner. However, lack of security awareness also has a part to play in insider misuse, physical theft and incidents of loss. ” In the past,” continued Spitzner,” organisations have orchestrated security awareness programmes, but these were primarily compliance-driven and designed by auditors to ensure the company could ‘check the box’. These programmes consisted of nothing more than a once-a-year PowerPoint presentation or some very basic computer-based training. In recent times, host organisations have begun a fundamental shift in terms of how they approach awareness and training. They’re now building mature security awareness programmes that identify and change high risk human behaviours.” Spitzner advocates the first task is to gain the support of management and answer the key questions of: ‘Who?’, ‘What?’ and ‘How?’ ” Once you have a programme rolled out,” continued Spitzner,” you’ll need the ability to measure it. Measuring provides several things. First, it helps you identify where your greatest risks are and where you need to focus your efforts. Second, it can be used to demonstrate the value of the programme to senior management, in turn gaining you the support you need in order to keep that programme going in the longer term.” European Cyber Security Awareness Month European Cyber Security Awareness Month is a European Union advocacy campaign that takes place each October. The overall aim is to promote the subject of cyber security among citizens, change their perception of cyber threats and provide up-to-date security information through education and sharing of good practices. To further support this initiative in 2014, Spitzner is running a webinar session offering a step-by-step walk through of how to take your security awareness programme to the next level. The session covers key points including how to leverage the Security Awareness Maturity Model, effectively engage people, measure change in behaviours and communicate those results to management. Registration is available here

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.