Why User Education On Security Needs To Start At The Top

Computer Security Education

Organisational security has long been the province of the IT manager or CIO. Their role is the management of systems, data and technology, and security is part of that management. But as businesses are becoming more data centric, and technology is permeating all levels, the scope of responsibility is changing. Whilst IT managers and CIOs are still providing the expertise, security can no longer be their responsibility alone. When the security of systems and data are fundamental to the business, they become fundamental to all those in senior management.

Which is why we are starting to see C-level culpability in respect to security. The recent high profile security breach at Target, in which the US retailer admitted hackers had stolen 40 million debit and credit card numbers from its data banks, is an example of this. Following the pre-Christmas 2013 breach, CEO Greg Steinhafel stepped down from his position in May 2014. This was following Target’s CIO, Beth Jacobs, having resigned in March.

We can only speculate as to the conversations leading to these senior step-downs, but the episode has been marked as a milestone in regards to how organisations should be viewing data security as a business priority. It sends a message to other top level executives; do you know how secure your business’ systems and data are? How educated are your employees on security issues? How educated are you?

Do As I Say, Not As I Do

In a recent study of insider threat personas, which analysed the behaviour and attitudes of 1,000 US and 1,000 UK desk-based workers towards workplace security, there are some interesting insights about top-level management.

On the whole, those in senior management like to think they are considerate of workplace security, with an above average percentage of 64% claiming this was the case (compared to 54%). They are also less likely than others to share their work related passwords, and more likely to know who to report a security breach too.

But in terms of actual behaviour, senior management’s security conscientiousness stops. They are more likely than other groups to share passwords for the purposes of delegating work, and an above average 16% (compared to 10%) will share files between personal and work computers. This suggests that whilst senior management is thankfully more aware of some of the basics of organisational security, they are not quite behaving accordingly.

The Senior View On Internal Security

Interestingly, one key element of organisational security which senior management appear to be acquainted with than most is that of insider threats. When asking what the survey base saw to be the top security concerns, senior management were the most likely (47%) to put ‘employees’ in their top three.

Which still leaves a majority of 53% who have failed to understand this, speaking to a wider problem about education about internal security, but nevertheless senior management are ahead of others. It seems their ‘view from the top’ gives them the perspective to see the real cracks in their organisations’ defences. They understand the issue of internal security even better than those in IT, which is possibly unsurprising. While IT is focusing on technology and its security, they can sometimes miss the cultural aspects of organisational security.

The reality is that for most organisations, wider user education is woefully lacking. On the whole, less than a third of people know who to report a security breach to while 23% of people have shared their work related passwords with colleagues. The top reason given is also shocking, with ‘my boss asked’ quoted by 32% of those who admitted to sharing their passwords. Another indication that senior management are not following their own rules.

Senior management have a unique view of their organisations, which should give them the ability to stand back and see the bigger picture. It’s this that enables them to understand some of security issues better than those who have traditionally managed them. Meanwhile they should be getting a big red warning sign that this should really matter to them, as top level executives at huge businesses are losing their jobs as a result of security related issues. Yet, in some cases it seems they are not leading by example.

Before senior management have changed their own behaviour, and started working more closely with those who are hands on with the technology, businesses will have difficulty addressing internal security properly.

François Amigorena is founder and CEO of IS Decisions, a provider of Infrastructure and Security Management software solutions for Microsoft Windows and Active Directory. IS Decisions offer solutions for user access control, file auditing, server and desktop reporting, and remote installations. Its customers, including the FBI, the United Nations and Barclay’s, rely on IS Decisions to prevent security breaches, ensure compliance with major regulations, such as SOX, FISMA and HIPAA, quickly respond to IT emergencies and gain time and cost-savings for IT.