In the past few years technology is becoming more and more important in the business environment and a very useful tool for corporations all over the world. Although the technology development has its advantages, it also has its disadvantages and one of the main ones is security. Slowly, quietly but constantly corporate information systems are being attacked and exploited. Business secrets and corporate data is leaking almost on a daily basis. At stake are billions of dollars’ worth of U.S. intellectual property, from computer codes and secret drug formulas to the plans for new products and technologies used by our government and military.
Research has provided data that the real security threats are not from external but from within – ranging from disgruntled employees, outside contractors with insider privileges as well as human error and negligence when using or administering information systems. According to a recent FBI study, authorized users cause almost 80 percent of security violations with legitimate access. Companies can loose millions of dollars, just by one security incident alone. Despite spending $6 billion annually on computer security hardware and software to protect corporate data, businesses are starting to realize that even the best and most expensive technology cannot prevent internal breaches that are caused by lax end-user security practices, lack of training or human error (Marston, 2004).
How do companies assure that their information assets are protected? Are there any technical or management solutions on how to approach this large security issue? This paper explores how human interaction with technology has led to major problems in managing IT security systems, and how most problems are increasingly caused by human factors rather than any technical or environmental failure. This research will also analyze the human element of information security, how they can be minimized and what corporations need to implement and change to stay on top of these internal, almost invisible but constantly present security threats.
There are many corporations that will view “technical solutions” as the immediate answer to their information security issues and the commercial market and product manufacturers are strongly enforcing this myth. There are several reasons, why software and hardware products have severe drawbacks to a pure technology approach of minimizing internal security threats: The first reason is that technology is fallible. Despite all efforts, software designers put in quality engineering and security integration, but hackers, testers and users will always find unchecked buffers, vulnerabilities that can be exploited, backdoors and unexpected exceptions. The second problem is that only a few corporations understand their information security problems in sufficient detail to ensure that implemented technology will provide the appropriate security solution. Another main factor is the fact that the term “technical solution” by itself, implies significant expenses the corporation will face during implementation as well as for maintenance. And last, probably the most important factor is that someone has to implement and operate the technology. And this opens a new perspective on security and the human factor (Hinson, 2003).
In any reasonably and well-organized IT operation, most security failures will be caused by the operations personnel. “The first line of defense is employee awareness – the critical humanware component of your data security armor” (Marston, 2004). Although system administrator error plays a role in most security incidents—including major security breaches—a surprising number of companies don’t publish or enforce security policies. Many times, corporations are faced with scenarios, where the system administrator has accidentally deleted entire contents on the file server or database and realized that there is not current backup that can be restored or that it will take an immense amount of time to recover from the backups. The main reasons why system administrators make such mistakes can be counted on one had and can be relatively simply minimized by the corporate management. The first and probably main factor is ignorance to what one is doing. This ignorance is based on lack of education and is often demonstrated when people try to “fix” critical systems, where they do not have the required technical knowledge and experience. Ignorance can lead to stress, which is very common in the IT industry, especially for the group that is working in a supportive role such as Help Desk, with a high desire to perform to perceived expectations. Negligence is the third main common reason why administrators make mistakes and is the failure to perform a task, which should be well known and/or obvious. IT administrators are know to skip steps and practices such as performing backup or changing control procedures, when work load becomes high. All these factors, combined with fatigue, which is a very common side effect when stress levels are high due to changes to systems without disrupting the business processes, are disasters to happen (Thompson, 2005).
Besides the administrators that might inflict security breaches, there are end-users who might cause data loss or cause major harm to the information system. These end-user “mistakes” can range from not having the proper training and knowledge on how to use the system, not properly configured user access rights, all the way to disgruntled employees who are looking for revenge and causing damage. Many IT users fail to see what relevance security and data loss might have on themselves and the company they work for. While user errors cause the majority of security incidents, most organizations are not taking the needed steps to fix the problem. According latest surveys, organizations blame 80 percent of all security incidents on human error, or on human error in conjunction with a technical malfunction. But statistics show that the majority of funds that are used to implement security measures are user for hardware and software rather than training. Organizations are not budgeting more for training, although proper training will eliminate a lot of the security threats and issues that are experienced and addressed on a daily basis. In 2005, half of the surveyed organizations have budgeted 5 percent of their overall IT budget for training. Only fifteen percent of organizations will allocate anywhere from 20 to 50 percent to training, and 10 percent will spend nothing on training their employees on security and information systems (Schwartz, 2005).
But training does require additional funding, because training is an ongoing process that will not stop after one session, a month or a year. Each company does not only have to include all their new employees, but also make sure that the existing employees did not forget the last training and the importance of it. In addition to that, security threats that are directed towards the end-user such as virus attachments, social engineering, passwords and other technical and non-technical means that are used by hackers are changing, just as the technology does. Yesterday’s security awareness training might not be as good as today’s training. In other words, training and security awareness is an ongoing and very important process that shall not be neglected and underestimated. Unfortunately, that does not seem to be the case in many corporations. The absence of additional funding for training is puzzling, considering how many incidents are reported each year, where internal and human errors caused the security threat rather than an external source. Security assurance depends on human actions and knowledge as much, if not more so, than it does on technological advances. And companies seem to agree that training is the answer, even if their budgets don’t reflect this. For example, 89 percent of respondents from a security study believe “major security breaches have been reduced as a result of IT security training and certification” (Schwartz, 2005). The benefit that employees gain from security awareness training includes improved potential risk identification, increased awareness, improved security measures, and an ability to respond more rapidly to problems. Unfortunately a lot of executive staff considers security awareness to be important only for IT personal and do require IT staff to have some sort of security certification. The regular employee, which in a lot of cases might cause more harm than an IT manager is not given the opportunity to expand his horizon and get the needed security awareness training. For training to be truly effective in preventing and combating security threats, organizations need to take further steps by spreading security awareness and knowledge from a select group of IT staff to larger portions of their employees. (Schwartz, 2005).
Besides security awareness training, implementation of security policies is another useful approach of making sure that human errors are minimized. Efficient security policies can range from implementing password standards, non-disclosure agreements up to implementing complex security standards specifically required for the type of business the corporation is in. These policies might adhere to HIPAA, Sarbanes-Oxley or VISA CISP regulations. But even here research shows that many corporations do not have any kind of security policies in place. The few companies that have security in place have most likely been “forced” by a law to write them, but in reality they are not enforced, not properly enforced or even outdated and therefore not useful. A great tool that allows corporations to relatively easily implement security policies and standards within their organization is ISO 17799 or the newer version ISO 27000. These series of ISO information security management standards are probably the most widely accepted information security management standard with thousands of organizations having been certified. The standard encompasses the scope of what a security plan and policies should include, how to identify risks, which controls need to be implemented and applied as well chapters and description on training and its need. The advantage of these tools is that they do not provide a cookie-cutter solution but can be adjusted to corporations and organizations based on their size, resources, financial means and type of business.
If corporations are serious about information security, they must tackle the human factors as well as the technology. Proactively managing the risks involves assessing and reassessing all the threats, vulnerabilities and impacts and successively improving and implementing controls. This is not a one-time operation of writing policies, getting the ISO 17799 certificate or providing annual security awareness training. Information security is an ongoing management process and no matter how a company will deal with the human risk factor, but the minimum requirements need to be met in order to guarantee the minimization of security risks within their organization. The bare minimum that needs to be implemented, besides the already existing technology, is a security awareness training for the employees and mainly the non-technical or IT related staff.
To show the staff that security is a big issue and should be abided by, the corporation needs to implement and strictly enforce security policies that all staff needs to adhere to. It is the management responsibility to make sure that staff understands and follows all relevant internal and external policies and processes correctly. The IT staff will make sure the technology has all the required security updates in place and vulnerabilities have been fixed, but it is the human factor – the “hidden” but devastating risk from the daily user that is constantly present and that needs to be addressed. The employee/IT user has to be introduced to this important topic and made aware that he is a major, if not even the most important factor, when it comes to making sure corporate data gets safeguarded, risks are minimized and therefore allowing for a safe and long lasting work environment without disasters, possible job losses or even bankruptcy. The security awareness through training and implementation of security policies avoids negligence – and negligence is best managed by management and not technology alone.