Professional Documents
Culture Documents
An Effective Security Awareness Program is Essential not only to Compliance, but to Protecting Your Companys Reputation and Revenues
Introduction
No responsible enterprise would operate without rewalls, intrusion detection systems, and other technology-based controls to safeguard its information. But how are you addressing the ultimate security endpointthe human? What protection, if any, do your people get? Unfortunately, there is no rewall technology that can block a social engineering phone call or a phishing e-mail from a trusted source. Worse is a workforce that operates under a false sense of security, believing the enterprises technology is sufcient to protect its assets. You know its not. Yet how much attention does the human element get in the information security game plan? If your information security strategy is only as deep as your technology layer, then potential breaches are just one misguided click away. And those clicks happen. Annual threat reports reveal that the risks to business, partners, customers, and reputation are myriad, mounting, and material. In 2012 alone, 855 information security incidents compromised 174 million records. And according to Verizons recent data breach report1, 96% of the attacks were not at all difcult to perpetrate; most all found vulnerable human targets that were easily exploited. Thus the Verizon report concluded, ...a substantial amount of data loss and quite a few upset customers serve as reminders that humans can, in various ways, bring If youve decided to make the case for harm to the organization. As to a solution, the report writers investing in a security awareness program for are quick to add, We still favor well-thought out and well delivered ways to increase awareness. your organization, presenting a coherent and
Thor Olavsrud of CIO.com, agrees: Your sensitive data is only as secure as the weakest link in your organization, and in many cases the weak link is your employees. A properly established security awareness and training program can pay huge dividends. Indeed, a security awareness program ought to be integral to an information security strategyand ideally one that balances people, processes, and technologies in appropriate measures. Approaches that are heavy on technology, for example, might be able to defeat technology-based attack vectors, but they leave unprotected the operators who now constitute the bulk of the attack surface, both as to probability and potential consequences. If youve decided to make the case for investing in a security awareness program for your organization, presenting a coherent and data-based argument will be crucial. In the pages that follow, well provide you with the tools and information youll need to make that case. Well address the most pressing business drivers that will in turn drive your most compelling
arguments; well show you how security awareness can leverage huge savings even as it helps protect your organizations reputation; and well provide the answers youll need to put to rest the typical objections that will inevitably arise along the way. Finally, youll be able to make clear the case that a security-aware culture will make a substantial contribution to improving your organizations overall security posture.
Security, as the Forrester analysts say, is no longer embedded in IT. It is, in fact, diffused throughout the organization, from top to bottom. No function within the organization is immune to security risks. Security awareness must, therefore, become ingrained into your organizations culture. Take a look, for example, at a sampling of the many business functions that can be directly and positively impacted by the benets of a security awareness programor negatively impacted by the lack of one: Business Continuity and Disaster Recovery Financial Risk and Insurance Physical and Corporate Security General Counsel and Legal Human Resources IT Security Team Marketing, Sales, and Business Development Crisis Communications Customers Partners Shareholders
The last three warrant a closer look. Even a relatively small but newsworthy breach will spike customer churn rates, harm partner relationships, and damage shareholder value. Whats more, competitors will seize upon the opportunity to position your company as untrustworthy. All because of the untrained or careless action of a single employee. And with nearly all states requiring breach notication, missteps with customer data cant be kept under wraps.
Conversely, companies that are driven by a narrow, short-sighted view of compliance tend to focus on the cost of compliance with a view only to minimizing it. Such an orientation leaves the company exposed on several levels: The costs of non-compliance can dwarf the cost of the relatively inexpensive compliance measures (which include a security awareness program). Poor compliance measures (e.g., lack of a proper security awareness program) invite incidents. A check-the-box approach to compliance leaves the company with a very poor risk profile. The resulting risk exposure endangers the companys greatest assetits reputation. Consequently, unless the calculation of the total cost of compliance includes the costs of non-compliance (nes, restitution, civil actions arising from inadequate or no training or negligence in training), revenue losses from business disruption, customer churn, and other indirect and opportunity costs, your true risk exposure will be tremendously underestimated. Translating this reality to bottom line language for business executives will prove strategic: compliance costs are small, but the benets they yield are enormous. And one very important key to minimizing Executive management is burdened with major compliance costswhile simultaneously increasconcerns, from company reputation to customer churn. A proing the benets to businessis a proper security active security awareness program that is aligned specically awareness program. to business priorities can allay stakeholder fears by minimizing both the causes and consequences of business disruption. Exposing the Vulnerabilities The (ISC) report cited earlier also found that IT organizations are substantially less prepared today for both the prevention and the consequences of a security breach than they were two years ago. The three readiness attributes they investigated were: being prepared for a security incident; discovering a security breach; and recovering from a security incidentall of them markedly down from previous estimates. In all three areas, however, a proper security awareness program can make a signicant difference, from reducing incidents, to encouraging the reporting of incidents, to minimizing the consequences of incidentswith very little expense or overhead. The risk/reward tradeoff is substantial. According to research conducted by the Ponemon Institute, 51% of CEOs say their company experiences cyber-attacks hourly or daily. In fact, the number of targeted attacks has increased dramatically in the last two years. These increasingly sophisticated and determined attempts to gain access to sensitive information rely on a medley of attack vectors, including customized malware and highly targeted social engineering schemes. As one observer3 noted, Finding a gullible human in a targeted organization is often easier than nding a software vulnerability or an open network port, so attackers are quick to use social engineering as a key part of any exploit. So while your company might be deploying the latest security technology, the perpetrators are nding ways around it. And in the arms race between the bad guys and the security vendors, the employees who handle sensitive information are caught in the crossre. This is the new front where the battleand the breacheswill occur. Its also the last line of defense. If people are not fortied with proper security awareness training and reinforcement, then breaches are all but assured. And the potential consequences are severe: recent Symantec-sponsored research4 found an average 1.1 million identities were exposed per breach, while more than 400 million unique variants of malware continue to target high-level executives, senior managers, and R&D personnel. Moreover, a study5 by Forrester actually found that enterprise perceptions of incident likelihood were backed up by the incidents they actually experienced. In other words, people saw it coming. A majority of enterprises, the report reads, felt that employee-related accidents were the most likely sources. Theft or misplacement of an employee device was seen
Making
the Case
as likely or extremely likely by 58% of respondents, while the risk of accidental leakage by an employee was seen as nearly as risky (57%). Clearly, this is not a technology problem. In fact, even where technology might be a factor, 90% of all malware still requires human interaction before it can infect its target. Thats a people problem.
Making
the Case
The annual CSI survey8 also tracks the loss of customers directly associated with a breach event. The most recent study found the average customer churn rate to be 3.7% (with a considerably higher 6% for pharmaceuticals, communications, and health care sectors). Indeed, there are many components of the total cost of a breach (Zurich9 provides a helpful resource in determining what yours might be). For a quick and dirty ballpark gure, simply multiply the costs by the number of records your organization keeps and youll have a pretty good estimate of exposure. For regulated industries, the Department of Justice also levies nes that average upwards
of $2M and restitution awards averaging in excess of $3Mper breach. Tellingly, the majority of the breached companies proled in the study did not have a security awareness program in place. And because the majority of incidents were attributed to human behaviors, the number of incidentsand their consequencescould have been prevented or greatly diminished with security awareness training. As Ponemon Institute research consistently shows, incident rates and their associated non-compliance costs are inversely proportional to the organizations level of security awareness. Want to minimize breaches and non-compliance costs? Institute a security awareness program! Whats more, the due diligence demonstrated by the presence of a robust security awareness program alone will dramatically improve the security posture, help mitigate potential nes, and preserve brand equity in the process.
The positive results of improving security awareness are both intuitive and well documented. The Security Effectiveness Score shows that when organizations spend a
dollar on compliance, they get far more than a dollars value in return in the form of signicantly reduced noncompliance costs. The converse is also true: companies that invest little in compliance and security awareness pay far more on the back end when breaches ultimately occur. Comparing the track records of companies with low levels of information security investment versus those with industry-typical levels tells the tale. A case in point is the healthcare sector, which on average allocates just 1-3% of the IT budget to all information security measures. This is in contrast to an industry-average gure of approximately 10%. Not surprisingly, a study11 commissioned by Symantec reported that the top ten industry sectors by data breaches was led by the healthcare sector, which accounted for 36% of all breaches. The number two sector was education, far behind with 16%. Healthcare leads by a massive margin, and with a security spend that is at or near the bottom. The old clich, spend a little, save a lot, has never rung more true.
Making
the Case
risk exposure are the most important security capabilities for upcoming years. In contrast, nonexecutive respondents [information security professionals] chose compliance with regulations, standards, and policies, in addition to building a culture of security as the most important capabilities of the future. This nding sheds tremendous light on the disparity Forrester discovered. Only by opening the door to a review of how the information security budget is allocatedwith a view toward aligning it to business objectivescan one begin to optimize that spend in proper balance. And the objectives of both parties can be met with a security awareness program that addresses both compliance issues and the security of corporate information. In the process, that program will contribute to improving 75% of the Security Effectiveness Score parametersa metric that is directly correlated to minimizing the impact of non-compliance. Thats signicant leverage for all the stakeholders. A good security awareness program truly does constitute basic blocking and tackling, and as such, it is essential to winning the high stakes game of information security and keeping the brand safe.
While most IT security professionals truly get it, their levels of enthusiasm for promoting security awareness are seldom matched by the executives on whom they depend for budget approvals. Consequently, weve spent a good bit of time here on aligning the need for security awareness to business objectives. But as you engage on a deeper level with the various stakeholders, there will inevitably arise a number of specic objections that stand in the way of a fully supported security awareness initiative. Here are a few of the more common objections you may hear, along with a few suggested responses.
Were good; our company has never had a breach Suggested response: Yes, we have been very fortunate! Lets hope our luck continues.
Recent industry data, however, shows we are falling behind the curve. In the face of so many threats, we must apply all due diligence to ensure that our vulnerabilities are not left to fate. I suggest we can be more proactive in supporting our business interests. We must continually step up and respond to new and emerging business threats to preserve shareholder value and maintain customer loyalty.
The cost is too great As with any investment, you must evaluate the risk and the return (as well as possible damages). Sometimes the great-
est risk to business is doing nothing new. The investment is modest: an effective security awareness program is likely to be fully covered for less than 1% of the typical enterprise IT budget. Focusing on the price alone ignores costs that can run many orders of magnitude greater, e.g., the direct, indirect, and opportunity costs associated with breaches or other forms of non-compliance. We can not only meet our compliance needs, but also help foster a security-aware culture that contributes real value to enhance brand reputation. Conversely, how much would it cost to replace all the customers that leave because we didnt keep their data secure?
Training is not effective at changing behavior You are right, sometimes; many training programs, and security awareness initiatives, fail to
meet expectations. We dont want this to happen to us (any longer). Just as we evaluate technologies, and appraise other business options, we have investigated and evaluated what has really worked to achieve the best results. Our solution is designed to deliver behavior change right from the start. We will deliver and reinforce our message throughout the year. We believe we can provide a best-of-class security awareness program that will help us achieve a security-aware culture, safeguard our customer data, and protect our business assets. By doing so, we can keep our employees focused on the important tasks of achieving our business goals and meeting our customer commitments.
(Note: We explore this objection in great detail in our series on the principles of adult learning, and we invite you to discover the real reasons why some programs fail, and what you can do to ensure success in your program.)
Making
the Case
Its not simply how much you spend, but how you spend it. The relatively small investment in security awareness will not only be more appropriately aligned with your actual threat landscape and vulnerabilities, it will make the rest of your information security spend more efcient.
Technology (rewalls, antivirus, etc.) is sufcient to provide information security These tools are very good at what they do, but only at
the levels they address: the network/host layers. Such technologies do not provide 100% coverage or any other guarantee. The problem now is that attackers circumvent these defenses and focus on the much softer targets: people. A good security strategy is a multi-layer strategyone that includes the human defensive layer. In fact, it is the last line of defense, and it is precisely those companies that have not reinforced this line that have experienced the most breaches and suffered the worst consequences. This current reality calls for an additional security layer in the form of a truly effective security awareness program.
We have no time to create and manage security awareness training You are correct; it takes effort to create and manage a truly ef-
fective security awareness program. There are many resources on the market that can help us reduce this effort and give us a head-start. A good security awareness program can be outsourced to a competent solution provider, effectively ofoading the burden. We currently purchase hardware, software, and services from competent outside vendors. We propose we do the same for our security awareness program. We can also supplement or adapt the program to t our needs. This is a highly specialized eld that requires a specic set of competencies to create a training solution that will actually work to bring about security-aware behaviors and culture. The time investment can be greatly reduced and the value greatly increased by leveraging existing programs to meet our business goals.
Our most recent audit found us to be fully compliant with data protection regulations You are correct; our security awareness training passed the recent audit. The box was checked. As we both know, there is usually more to meeting the spirit of the requirement than just checking the box. Many auditors are now looking at compliance training programs more closely. Im not sure how long it will be before our current program fails an audit. At the end of the day, we want a more secure organization. To achieve that goal, and reduce our risk, we need an effective security awareness program that will provide a foundation for true behavioral change. As has been shown numerous times and in numerous ways, a wide gulf separates regulatory compliance from true security awareness. The organization may save itself a ne, but leave the enterprise wide open to far greater potential consequences. Compliance-driven security is a low watermark where actual risk reduction is concerned. I suggest we take the next step and look at a implementing a program that will meet both the spirit and the letter of the law. We must continually step up and respond to new and emerging business threats to preserve shareholder value and maintain our customers trust.
Executive management (corporate) does not see the need Our goal is to help you (executive management) meet our business objectives.
We cant do that if our shareholders, employees, partners, and our customers dont trust us. It has taken years to build our reputation, but it can be lost in very short order. We want to eliminate any data security risk that could get in your way of growing the company and helping you meet our business commitments. A major data breach will require attention from management, IT, marketing communications, and other business units. Its a huge distraction and will cost us time, money, and resources. We must upgrade the human defensive layer to reduce our data security risk. An effective security awareness program will enable our people, and you, to succeed and meet your personal and business objectives.
(Note: This is perhaps the most common objection of all, and is indicative of a security awareness proposal that is not aligned with the business objectives).
Were too small to justify a security awareness program According to a recent Symantec research report11, 50% of attacks focused
on companies with less than 2,500 employees, and 18% of attacks were focused on organizations with less than 250 employees. Its possible that smaller companies are now being targeted as a stepping stone to a larger organization because they may be less well-defended. Targeted attacks are a risk for businesses of all sizesno one is immune. We believe we can provide a cost-effective security awareness program that will help us safeguard our customer data and protect our business assets. By doing so, our company can keep focused on the important tasks of achieving our business goals and meeting our customer commitments.
Conclusion
As we have shown, in the realm of information security, a companys Achilles heel is often its employees. Technology does very little to address this weakness. And the problem is only growing. Gartner forecasts that through 2016, the nancial
impact of cybercrime will grow 10 % per year due to the continuing discovery of new vulnerabilities. A security awareness program is one of the lowest cost/highest impact investments a company can make in not only getting ahead of the cybercrime power curve, but in protecting the business interests of the enterprise.
Sources
1. Verizon, Data Breach Investigations Report, 2012 2. (ISC), Global Information Security Workforce Study, 2013 3. Dark Reading, The Many Faces Of The Verizon Data Breach Investigation Report, April 23, 2013 4. Ponemon Institute, Cost of Data Breach, 2011 5. The Value of Corporate Secrets, Forrester Research, Inc. 6. Ponemon Institute, 2013 Cost of Data Breach Study. 7. Hewlett-Packard Enterprise Security, Rethinking Your Enterprise Security, 2013 8. Computer Security Institute, CSI Computer Crime and Security Survey, 2012 9. Zurich, Data Breach Cost, Part I: Risks, Costs and Mitigation Strategies for Data Breaches, 2012 10. Rebecca Herold, Managing an Information Security and Privacy Awareness and Training Program, CRC Press, 2010 11. Symantec, Internet Security Threat Report, Volume 18, 2013 12. CISO Pulse Survey Analysis, Hanover Research, Prepared for Tripwire, Inc., April 2013
About MediaPro
MediaPro is nationally recognized for producing award-winning, Web-based security and privacy training solutions that reduce risk by improving security-aware behaviors. Our best-of-class awareness materials will help you safeguard your customer data and protect your business assets. In addition to training and reinforcement products, MediaPro also develops custom data protection and compliance courseware. MediaPro has won over 100 prestigious awards for instructional excellence and its products are used by the most security-conscious companies in the world. For more information about our awarding winning security and privacy awareness products and services, please contact us at (800) 726-6951, email us at mp.info@mediapro.com, or visit us on the web at www.mediapro.com.
20021 120th Avenue NE, Suite102 | Bothell, WA 98011 | (425) 483-4700 | (800) 726-6951