The weakest link?

Bjorn R. Watne, Chief Information Security Officer, Storebrand Group

Bjorn R. Watne, Chief Information Security Officer, Storebrand Group

I have been working with Information Security – or IT Security as we called it back then – for almost 20 years now. Looking back, it does not seem all that long ago I started down this road of digital defense, but the evolution of both the industry and society has been remarkable. Turning into the 90s - I remember collecting viruses, safely storing them on floppy disks. Now, some 30 years later we see global giants like Maersk and Hydro being shut down for days, with losses numbering into hundreds of millions. And this caused by a small piece of code, similar to what I was storing on floppies all those years ago.

Fortunately, the attackers are not the only ones to evolve. While spending half a meeting explaining to the customer what an Intrusion Detection System was 20 years ago, it is something close to default with most companies in both private and public sector today. Technology alone is however not enough to combat the ever-changing landscape of threats we face today. We need to address how we go about our work, as well as the minds of the people actually doing it. The trinity that is People-Processes-Technology all need to be equally addressed in order to ensure a secure operation. They are all important, but, if one were to be placed above the others, I would say it would have to be people. Every time.

The right tools – the technology – will always be of great importance. Statista reports that at the end of 2018, global spam volume as percentage of total e-mail traffic is still as high as 53.5 percent. No question at all whether or not we still need our antivirus solutions in place! Same company is also reporting that the global market size of outsourced services has doubled from 2000-2018 to close to USD 90bn. Obviously, there are no questions either as to whether it is important we have proper risk management, policies and procedures in place to plan, do, check and act when dealing with our different third parties.

Nevertheless, even though we excel at all of this – that one piece of malicious malware opened on a vulnerable system; or that one password given away on a fraudulent phone call might still shatter all defenses. Hence, it is imperative we also focus on getting into the hearts and minds of our employees if we really want to secure our operation.

Technology alone is however not enough to combat the ever-changing landscape of threats we face today

Working with human beings, one can safely assume there will be as many ways to go about this as there are people involved. Cultural differences alone will make a great difference towards both your starting point, as well as your chosen path going forward. Working for companies spanning multiple countries and continents, I have nevertheless observed a few common elements that should be smart to keep amongst your basics:

1. Keep it relevant.

When trying to raise awareness it is important you address your target audience with a certain amount of granularity. The language and format used to address non-technical personnel working with HR and Marketing should not be the same as that for IT-operations and Software Development. Get an understanding of their individual tasks and their workday.

2. Keep it interesting.

What is usually more important to employees than their employer's well-being is that of themselves, or their relatives. The topics presented should focus on what is their greatest concern – for example how to keep children safe on the internet, or how to protect your digital identity, or safely go about online banking and shopping. Good habits at home often become good habits at work, which is the win-win you're after.

3. Make it fun.

Across the globe, people have always loved playing – and competing. The Greek tradition of the Olympics is one example; the board game Senet played in ancient Egypt as far back as in 3500 BC is another. Create quizzes, design hackathons and capture-the-flag competitions, display leaderboards and celebrate your champions. Opportunities of gamification are almost close to endless, and most of them work very, very well.

4. Make it easy.

One should never have security for security's sake. Your controls should always have the goal of supporting the business. If you are not helping the business align to its strategic goals, you should stop what you are doing and do something different. The controls put in place must also enable your employees to do their job as effortlessly as possible (within the company's risk appetite). Finally, reporting suspicious activities or possible incidents should be very easy, frequently communicated, and always acknowledged – possibly even rewarded.

By making information security relevant and interesting to your employees in their daily lives – making reporting suspicious activities convenient and rewarding – and by showing them that said activity is always taken seriously and acted upon by security professionals – you've maybe just turned your weakest link into your biggest asset. Any one of us can have a bad day or a momentary lack of concentration – but given heightened awareness and ease of reporting, this risk can be reduced significantly. Couple it with the right defense technology and well anchored and rehearsed incident processes, and you have a winner.

As I like to think of it – in a company with 1000 employees, you can look at it as either you have 1000 security flaws, or you have 1000 security guards. I know which one I prefer.