Ian Edwards MBCS, Head of Information Security & Risk at MEDICA Group reminds us about not losing sight of the fundamentals of security, amongst the backdrop of a technology-driven world.
I was born in the mid-1980s a few years before the first worm and anti-virus tool was created. They were harmless and borne out of a research project by Bob Thomas and developed further by Ray Tomlinson, the inventor of email. I always find it exciting to look back and see how far technology and associated threats have come. I’ve been privileged to grow up and see the digitisation of the world around me.
If we fast forward, security threats and actors have caused significant damage to industry, public services and commercial organisations. This has become more prominent and the peak of this is not yet visibly clear.
There is a revival in the industry at the moment. I’ve met a number of passionate individuals whose goals are to advocate the importance of the human factor. I personally believe this is one of (if not the most) important areas of information security. As people we are always targeted by threat actors at home, work or when out and about. Phishing, as an example, still remains one of the largest attacks against us, yet general awareness and understanding of this still remains a huge issue globally.
Developing the human firewall is often one of the lowest cost security controls. It is more than just providing annual refresher training, though. Knowledge and understanding can only be acquired over time. If you are forcing your staff to take 60+ minute training in one go, stop. It’s ineffective and probably more damaging than doing nothing at all.
As an industry, do we want people to relate security to boring, laborious training?
No, we want the opposite. We want people who are engaged and empowered to deal with security threats. Look at regular bite-sized learning materials, videos and games. Make the content about the individual and not your business. Focus on threats at home and you’ll see people apply it in the workplace too.
I’m not going to bang-on about building a ‘security culture’ as I believe this can generate more problems. We should aim to make security a part of existing company cultures and this requires a tailored approach because every business is different.
I was born in the mid-1980s a few years before the first worm and anti-virus tool was created. They were harmless and borne out of a research project by Bob Thomas and developed further by Ray Tomlinson, the inventor of email. I always find it exciting to look back and see how far technology and associated threats have come. I’ve been privileged to grow up and see the digitisation of the world around me.
If we fast forward, security threats and actors have caused significant damage to industry, public services and commercial organisations. This has become more prominent and the peak of this is not yet visibly clear.
Information security fundamentals: Part 1: Principles
When thinking about information and cyber security fundamentals we are often drawn to our underlying principles. The confidentiality, integrity and availability of information or the CIA triad as it is often referred to. These principles are well established and should form the backbone of any security programme or framework.Security technology and culture
I recently attended one of the larger security conferences in London and it touched a nerve for me. Although I’ve seen the vast maps of established vendors and start-ups, I’d not previously attended a conference with over 400 brands on show. Now, I am not aiming to vendor bash here. Each business provides one or more solutions and ultimately target specific risks. A large portion of these solutions tend to be pure technology and will be seen as shiny and attractive to IT and security professionals. Over the years, I believe the industry has developed a ‘sheep like’ culture that can be likened to our everyday lives. I entered my teens in the late 1990s and there was a strong culture of association with brands. If you weren’t wearing the latest Nike, Kappa or Adidas track suits, you were often looked down on. I’m very proud of my parents as they never succumbed to the pressure (and ludicrous prices). Fortunately, I was a grounded young person and mature enough to develop my own identity. I was the kid who would wear generic jeans and a t-shirt instead of a tracksuit and was comfortable wearing a less common ‘brand’. My parents’ approach to life has been an inspiration to me. They focused on getting the basics in life right. This predominantly consisted of managing the family finances to ensure we could live, enjoy our time together and enable my sister and I to grow up positively. This leads me onto the point I am trying to make here. Whether your business is young or established there is no specific ‘brand’ of security or technology that you should follow. However, and this is a big however; there are certain fundamentals that apply to all.Information security fundamentals: Part 2: What do we consider fundamentals to be?
Earlier, I reminded you of the traditional CIA principles. If we look at our security programmes or frameworks, what do we really consider as the fundamentals? If I think of the word fundamentals, I’m led towards ‘basic’ or ‘essentials’. No matter the context, the fundamentals is about getting the basics or essentials right. In our personal lives this usually means:- Generating a steady income.
- Providing for oneself or a family.
- Protecting ourselves and our family.
- Supporting those closest to us.
- Generating revenue.
- Providing a reliable service or product.
- Protecting business assets.
- Supporting staff and customers.
- Enable the business to generate revenue
- Enable the business to provide a reliable service or product.
- Enable the business to protect its most important assets.
- Enable the business to support staff and customers.
The human factor (people)
There is a revival in the industry at the moment. I’ve met a number of passionate individuals whose goals are to advocate the importance of the human factor. I personally believe this is one of (if not the most) important areas of information security. As people we are always targeted by threat actors at home, work or when out and about. Phishing, as an example, still remains one of the largest attacks against us, yet general awareness and understanding of this still remains a huge issue globally.
Developing the human firewall is often one of the lowest cost security controls. It is more than just providing annual refresher training, though. Knowledge and understanding can only be acquired over time. If you are forcing your staff to take 60+ minute training in one go, stop. It’s ineffective and probably more damaging than doing nothing at all.
As an industry, do we want people to relate security to boring, laborious training?
No, we want the opposite. We want people who are engaged and empowered to deal with security threats. Look at regular bite-sized learning materials, videos and games. Make the content about the individual and not your business. Focus on threats at home and you’ll see people apply it in the workplace too.
I’m not going to bang-on about building a ‘security culture’ as I believe this can generate more problems. We should aim to make security a part of existing company cultures and this requires a tailored approach because every business is different.
