By Tom Espiner
14 October 2005
Companies must ensure that their staff understand the reasons behind
security policies and support them, rather than just dictating them
from on high, a government consultant said at Secure London 2005 on
Paul Hansford, class consultant for GCHQ and senior consultant at
Insight Consulting, said that many security procedures fail because
staff don't understand what their company is trying to do.
"It is not enough to get staff to literally 'sign up' to procedures --
they must fully appreciate their purpose," he said.
He recalled an apocryphal story illustrating the point: "A colleague
went into a government agency and at one cluster of desks saw a line
of 'bobbing bird' toys. The system locked out the user if they didn't
touch the keyboard for a certain length of time, and required them to
re-input their password. The 'bobbing birds' were lined up next to
everyone's computer so that they would tap the 'enter' key every 30
The underlying beliefs of staff can be at odds with security policy,
he said. "People tend to have a 'What's in it for me?' attitude. For
example, some people may feel that it's fine to share passwords if it
makes the business tick over, their attitude being that business is
more important than security," Hansford said.
"Companies need to assess people's security training needs, which
includes having to elicit how security 'aware' they are," he said.
"Awareness is not just about education and training, but is also an
appreciation of, and a motivation to support, an issue."
An IBM security expert emphasised the need to monitor personnel to
maintain security levels.
"Personnel security is not just about initially screening and vetting
employees, but it's also about monitoring the guy who might have
personal problems," said Julian Lander, IT security programme manager
with IBM. "If their work performance isn't right, they may be involved
in drug or alcohol abuse, or if they have an overelaborate lifestyle
-- which I've seen in the past -- that can indicate possible security
Lander argued that security procedures need to recognise the human
factor. "Security is about people. Speaking generally, the way to
address the problem is by coaching, mentoring or counselling -- all
the soft skills that HR has. You have to work with HR to maintain a
successful security policy," Lander said.
According to Hansford, security standards become harder to maintain as
more staff work remotely - noting that more than half of all UK
businesses currently allow staff remote access.
"As more staff work remotely, physical security is difficult to
achieve. At the end of the day (employers and security professionals)
won't be there, so procedural security needs to be got right," he
InfoSec News v2.0 - Coming Soon!