It's an infosecurity fact of life: Security policies are generally ignored unless top management explicitly endorses them. But while executive backing is necessary, it's often not sufficient.
Successful policy implementation requires genuine buy-in throughout the organization, from top to bottom. Unless users believe the threats are real, the response is appropriate and the consequences of noncompliance are career-limiting, they'll always ignore policy.
Let's take a look at a case in which an infosecurity failure literally cost thousands of lives, and what it finally took to make security policies stick.
In 1915, the British army knew that crucial information was somehow leaking to the enemy. When they finally figured out that the Germans had developed "sniffer" technology that enabled them to eavesdrop on Allied trench telephone signals that were inadvertently carried through the ground, the British created strict policies limiting the use of electronic communications. These policies were universally ignored, resulting in thousands of fatalities.
Over a painful three-year period, the English signals staff gradually solved the problem with a three-pronged approach: new technology that was intrinsically safer; shared war stories about the cost of not following policy; and enforcing compliance through strict career penalties for middle management. Once a few captains and majors had been court-martialed for violation of communication discipline, officers realized that ignoring policy could permanently impact their careers.
The lessons from this story are applicable to contemporary infosecurity.
Just as the British developed communication technology that hindered sniffing, we can now deploy technology that helps thwart attackers -- with or without user help. For example, the 15-year fight against malware has been something of a seesaw battle between white hats and black hats. We've learned from painful experience just how difficult it is to train users to protect themselves from malware. The result has been increasingly sophisticated and automated defensive technology.
Nothing instills managers with a strong sense of enlightened self-interest better than real-world experiences that hit close to home. "Don't let this happen to you" can be a strong motivator. At one firm, managers in several locations had received similar suspicious e-mail messages: "I'm with our office in another country, and I need a list of all of your specialists. Our e-mail server is broken, so I'm writing to you from my home mail address." Examination of the mail headers showed they had originated at an industry-specialist recruiting firm -- a neat bit of social engineering designed to build a list of recruiting candidates. HR began an awareness campaign explaining the nature of the attack. Managers took the warning to heart. Nobody wanted to help headhunters recruit their best people.
Bear in mind that war stories tend to work only once. You're almost guaranteed a cold response if you try going to your board of directors a second and a third time with scare stories about how hackers have ruined other companies.
Courts-martial aren't a corporate option, but you can make adherence to security principles a regular part of everyone's annual review process. Tying compliance to annual bonuses and promotions is a sure way to ingrain security consciousness into the corporate culture. Use positive reinforcement as well: Offer special recognition to employees who prevent losses by being especially diligent.
A light touch is best. Treating their enterprise as a candyland of vulnerabilities, inexperienced infosecurity practitioners often want to fix everything at once. Such enthusiasm is admirable, but it's not an effective way to reduce risk. Instead, choose a few policy battles that can be won through technology, self-sustaining awareness efforts and carrot-and-stick approaches that can affect careers -- one way or the other.
History teaches us that significant security problems aren't always recognized as such, and that they are rarely solved through a quick fix. Permanent reduction of significant risks requires a coordinated, long-term effort that both accommodates and influences human behavior.
About the author:
Jay Heiser, CISSP, is a London-based security analyst with TruSecure Corp.