Many IT security professionals and senior IT managers approach Cyber security as if it is a war – a battle against State-funded Hackers or other ‘bad’ people attacking from the outside. This results in investment in security solutions that focus purely on protecting the boundaries, but neglect the principle problem, which is that most data loss is caused by your staff. A recent survey found that 56% of people have sent emails or data to the wrong person by mistake [i] and ICO believe that over 50% of data breaches are caused by human error[ii].
With social networking, cloud-based solutions and BYOD etc, the boundary between inside and outside the organisation is increasingly blurred and your users are the front line. Even with the most stringent border security, any defence can be outflanked with a little cunning. Just as in WW2, when the Germans came through Belgium not the Franco-German border as anticipated, so a hacker might use the details you put on Linked In or Facebook to circumvent your organisational security.
We call this fixation with the external foe the Maginot Line Principle.
The Maginot Line was a line of concrete fortifications, obstacles and weapons installations that France constructed along its borders with Germany during the 1930s. It was impervious to most forms of attack and had state-of-the-art living conditions for garrisoned troops, air conditioning, eating areas and underground railways. However, it proved costly to maintain and subsequently led to other parts of the French Armed Forces being underfunded. [iii])
The French thought they understood the shape of the German threat and could defend against it by building a wall behind which life could go on as it always had. No thought was given to how the state would respond to an incursion; the French people were simply not involved in their own defence. The French government designed a defence that would have helped them win WW1 but the attack, when it came, outflanked the line and France fell within 6 weeks.
If you look at how large corporates behave, it’s easy to see how they fall into the same trap as the French. It’s difficult for a senior person to say that they just don’t know where and when the next big threat will come from. However it’s also difficult to get senior management to invest in a solution unless you can show a real problem, the likely impact, how to solve that problem and how other similar companies are adopting the proposed response. So big companies have spent years getting firewalls and failing to implement over-engineered solutions such as Rights Management and PKI. They are trying to protect everything with the same level of security, which spreads their budget very thin.
I firmly believe that until you raise your staffs’ awareness of Cyber security and provide them with simple, easy-to-use tools to help them protect themselves, you leave yourself wide open to the next type of attack. If you empower your staff, all of a sudden you have lots more eyes and ears managing the security risk, without any significant additional investment, since you already pay them! The User understands the value of the information they create and handle, therefore a simple automated marking scheme allows them to take the right decision on who they share the information with and can be used by the organisation to control access, drive archiving and data recovery and meet their compliance requirements.
According to the ICO, Data loss incidents have increased tenfold over the past 5 years, so you have a choice – keep trying to build a Maginot Line of your own around your organisation or take a smarter route to proactively managing data loss by involving your users in data classification.
[ii] See www.ico.org.uk/enforcement/trends showing data for Q1 2013 – UK only