It is easy to apply top-down security policies, but much harder to ensure they are being followed from the top. In this fictional post-breach scenario, Dominic Saunders, senior vice president at the NETconsent business unit of Cryptzone imagines how the CISO might tackle a wayward MD.
There’s a saying which seems to resonate in the executive corridor of far too many organisations - “do as I say, not as I do”. In this cautionary tale, we use the saying to create a fictitious scenario. This is created to illustrate just how dangerous double standards can be. Our unfortunate protagonist is the managing director, who believes the rules don’t apply to them.
The headlines said it all: Tom Smith’s company was splashed across the news and he knew someone in his company was in trouble. As a call centre, it wasn’t just his own database that was virtually now hanging out to dry, but also those of his 400-plus clients which contained some very personal information. He wasted no time - someone was to blame and the root of the problem had to be dug up.
Tom contacted his Chief Information Security Officer, Rob Banks. The instruction was simple: find the source of the leak, plug it and whoever was responsible was out. Rob wasted no time in trying to find who was to blame and Tom was more than happy for him to do so.
Of course, being interviewed by Rob was weird, but his thoroughness demonstrated that he was taking the situation seriously. As they sat down, Tom reassured Rob that he should treat him as he would “any other suspect” and forget their respective positions within the organisation. So Rob did.
Rob’s first question caught Tom a little off guard. Yes, he’d seen, read and understood the policies and procedures surrounding information governance. In fact, he’d been instrumental in helping Rob write them!
Moving quickly on to security policy and Tom began to feel like a suspect. He confessed he hadn’t changed his password recently, even when the message flashed up prompting him to do so. Making up new, complex passwords is not best done under pressure. Yes, in an ideal world, he would change it every four weeks. But in reality, who was actually doing that? The fact that everyone Rob had spoken to so far said they knew the rules didn’t mean they actually were following them. And his comment that Tom was in violation of the security policy was just churlish.
Rob asked Tom if he was aware of the protective technologies the organisation had deployed to provide a formidable security blanket. Aware of them, Tom had sat through endless presentations with Rob from various vendors touting them. The social engineering test that the penetration team had conducted was infamous for the stunts they had pulled. Tom was quick to remind Rob that every highlighted area had been addressed, with no expense spared.
Tom’s encryption habits were the next element Rob scrutinised. Tom had to admit he hadn’t upgraded the program on his PC yet as he was worried about compatibility problems opening older files. He’d started to do it, but he’d been under pressure and it was taking so long, so he’d had to abort it - it didn’t mean he wouldn’t. When he confessed he’d “switched off” encryption on his laptop, Rob became really agitated. In Tom’s defence, it had slowed down performance - admittedly not by a huge amount - and Rob had to realise that every second counts. Yes, Tom agreed, he knew this violated the security policy.
Rob’s interrogation continued, this time asking how many other devices Tom used during the day. A little more bullish, Tom pulled out his corporate-owned smartphone that he used for emails. Rob asked if there were any personal devices Tom owned and, rather proudly, Tom pulled his shiny new iPhone 4S and laid it rather tenderly on the table. He didn’t use it for business, so it was okay, he’d not told anyone.
Rob snatched it up and his horrified expression said it all as he accessed Tom’s personal Hotmail account and started looking at the various messages, complete with attachments, Tom had forwarded to himself. “It’s got a better screen to see the graphs and charts on,” sounded a little hollow even to his own ears and Tom knew what was coming next. It was a clear violation of the security policy.
In for a penny, in for a pound - Tom decided to come clean about his iPad. He’d wanted to work on the train and the laptop was just so cumbersome to haul backwards and forwards, so this was far more convenient. He’d transferred some documents to work on - the payroll, some R&D reports, a few tenders, and of course the latest board minutes. He’d never dream of moving a whole database to it!
Rob then showed him how he could access the corporate SharePoint site and its Aladdin’s cave of information. If only Tom had known, he could have been so much more productive. Rob did warn that this too was a violation of the security policy.
Rob moved on to examine Tom’s laptop computer. It didn’t take long to identify the malware skulking in its operating system, spewing passwords and log-in credentials across the ether. Rob had identified where the leak was and could plug it. The question was, did Tom still want the person responsible out?
So what does this scenario demonstrate? Even if an organisation is doing all the right things, if the people within it aren’t, then it’s all for nothing. It would seem that although security and governance issues are increasingly being discussed at board level, the perception remains that senior personnel believe that IT security policies and procedures apply to the general workforce, but they don’t necessarily practice what they preach.
When data loss has become a daily news headline and regulators are hitting hard on organisations with lax attitudes towards data security, IT departments should be able to count on their board members and senior management teams to lead by example.
To prevent falling into the same trap, organisations need to take an enterprise approach to IT security awareness programs and take the following steps: