SINGAPORE--Security experts are calling for greater emphasis on human factors in dealing with IT security risks and reiterating the need for technology to be the last line of defense.
Speaking at the Enterprise Information Security 2010 conference held here Tuesday, Fuller Yu, vice president of resiliency and IT risk management at JP Morgan Hong Kong, said the key to protecting sensitive data is to inculcate an environment where employees are educated and aware about potential risks. He revealed that the financial services company requires all its staff, as well as third-party vendors that have access to JP Morgan's data, to undergo IT security training.
Yu explained: "The training is to ensure staff members take responsibility in maintaining data security. You will take very good care of your mobile phone and money, so this applies to data at work. If there is no proper training, people may shirk responsibility and say this information does not belong to me."
He also urged senior IT executives to start similar training programs as education is a "multi-investment and most effective way" of keeping the organization's sensitive data and transactions at bay. It is not enough to simply rely on technology alone, he said.
Muhammed Dawud Saifullah, head of IT infrastructure at Celcom Axiata, concurred. He acknowledged that while most organizations would have to work within a limited amount of resources, they should evaluate the feasibility of increasing efforts on training staff members to better handle security matters.
Also a speaker at the conference, Saifullah suggested using branding and marketing tactics, such as corporate wallpaper with a one-sentence reminder highlighting "safety" best practices to drive home the message. Such "motivation" efforts are especially relevant in combating security attacks which carry a sociological element, he said.
He pointed to Kevin Mitnick, the infamous IT hacker who, among other crimes he committed, was able to obtain the source codes of a Motorola mobile phone simply by speaking to a staff member and "dropping names".
Saifullah said studies have shown that it is human nature to respond to familiarity and form relationships, and Mitnick took advantage of this trait and deployed social engineering to gain sensitive information.
"For you to secure the infrastructure, you need to look at what motivates people to act the way they do, then come up with initiatives such as slogans or mascots. With greater understanding comes better security behavior," he said.
However, he cautioned against implementing tough penalties on any breach of security protocols as it is proven that security effectiveness is inversely proportionate to the severity of the punishment. "Whereas, if employees buy-in [to the idea], then it becomes a motivational factor [to comply with the protocols]," he said.
Deepak Rout, chief information security officer at Uninor, added that if IT departments feel the need to implement "penalty" for policy breaches, these should be linked to HR (human resource) policies to ensure effective results.
UAE faces government challenge
While enterprises today are faced with multitudinal security issues in the workplace, those operating in United Arab Emirates (UAE) have more issues to address, according to Samir Abdullah, director of fixed and core network security at du, a telecommunication services provider based in the UAE.
Samir, who also spoke at the conference, explained that operators in the local telecom industry have to comply strictly with regulatory guidelines and need extra manpower to monitor certain applications such as Skype.
"You always keep a certain percentage [of the budget] dedicated for security, and enterprises have to be mindful that this is an expense that they have to consider," he explained.
There are currently two telecom operators in the UAE, including state-owned Etisalat, with a rumored third to be given a slice of the pie. The government also has a stake in du.