Checking Boxes vs. Proactive Security
Almost all of the high profile data breaches that happened in 2017 were ultimately caused by either human error or known vulnerabilities that had been left un-patched for several months. This is counter-intuitive to many people, as new unknown vulnerabilities (“zero day vulnerabilities”) receive most attention in the media.
In this briefing we will have a look at why large organizational networks are vulnerable to attacks that seem to be easy to defend against.
To make a useful oversimplification, preventable breaches due to human error or old un-patched vulnerabilities are caused by a lack of awareness. Staff that either doesn’t know about social engineering, malware and phishing or that doesn’t consider these issues to be dangerous and their partial responsibility is most likely to fall to them.
Likewise, management and technical teams with lower awareness of the impact security vulnerabilities can have are more likely to either ignore them or schedule them to be fixed during routine update cycles.
Yet, awareness in general and information security awareness in particular are buzzwords across all major industries. How can there be such a focus on the concept of awareness and so little actual awareness at the same time?
While the answer to this question is complex, one major factor in play is the culture of checking boxes. Awareness programs are often delegated to general middle-management. Thus, the people in charge of creating awareness for security issues are often not well informed on these topics themselves.
When tasked to create a program, they fall back on existing information security awareness frameworks such as those included in the PCI-DSS and ISO27001 standards or those released by independent security organizations such as OWASP. And while these frameworks are excellent and well thought through, they do require careful adaptation to fit them to the specific organization. Unfortunately, without in-depth knowledge of information security, adapting these general frameworks to a company becomes all but impossible and the included sample checklists are often implemented as-is.
This in turn leads to what is called “blind compliance”. Half of the elements included in awareness trainings won’t apply to the company, and will therefor be ignored by the trainees. This creates the perception that the training is not really relevant to everyday operations.
The elements that are important are likely to be discarded together with those that are not.
In the end, the organization ends up checking all the boxes on the awareness list but remaining as vulnerable and un-aware as ever since the checkboxes were never adapted to fit the real-world conditions. Just because you are compliant on paper does not mean you are secure.
The solution to the problem of blind compliance is proactive security. That means hiring qualified staff to handle security roles, creating a custom policy and awareness training that fits your organization - ideally based on one of the major standards - and enforcing that all staff (including management) is adequately trained and aware of the elements of the policy that apply to them. Such trainings should be repeated in regular intervals to prevent standards from dropping off over time.
While doing all of this correctly does not guarantee that there won’t be any breaches, it significantly raises the bar for attacks and makes breaches due to old un-patched vulnerabilities and human error much more unlikely.