“My contention is that data losses are not down to technology or [cybercriminals] doing clever things,” Colley remarked, putting recent data breaches down to a lack of employee awareness.
Colley emphasised that any organisation must have policies and standards, though he added that this was “a bit of a cop out as everything else could be rolled up under that”.
He observed that there should be “some sort of system/process/procedures to ensure the policy and standards can be met”, as well as communications, education and training, and a review process: “If you don’t know it’s working, you’re going by trust.”
He added that there must be corrective action.
At a more basic level Colley noted, there should be, top management commitment and access control.
“It sounds so simple,” he said “but I’ve worked in a number of major banks and access control was a nightmare.”
Colley remarked that recent high profile breaches were “not really technology breaches but people doing silly things…It’s not about very clever technology, it’s about businesses”.
Colley pulled statistics from a recent (ISC)2 survey, which found that 72% of respondents knew of their company having a security policy, and just 63% of these confirming that their organisation tracks the enforcement of their policy.
The survey also found that the obstacles preventing compliance with an organisation’s security included a lack of training for 48%, of respondents, the culture of the organisation for 48% and poor communications for 46%. Interestingly, just 22% of the professionals that were questioned put their obstacles down to a lack of budget.
When asked how the respondents’ company educates customers and suppliers on how to interact safely, 64% replied that there was a contractual obligation. Colley noted this was ineffective as it was akin to saying “We‘re gonna sue you if you do something wrong so make sure you don’t do something wrong”.
Colley warned that recent breaches were “all about company culture, it’s all about poor understanding of policy, it’s all about accountability not being defined,” and added that “employee awareness is dangerously immature.”
“Security is not the security department’s responsibility. It goes much deeper than that,” he concluded, saying that “organisations should be creating an environment where the security policies actually help the business – where they are not ignored.”