Staff 'need reasons' to believe in security

Companies won't get far in putting their security policies into place unless they pay attention to the human element, according to a government consultant

Companies must ensure that their staff understand the reasons behind security policies and support them, rather than just dictating them from on high, a government consultant said at Secure London 2005 on Tuesday.

Paul Hansford, class consultant for GCHQ and senior consultant at Insight Consulting, said that many security procedures fail because staff don't understand what their company is trying to do.

"It is not enough to get staff to literally 'sign up' to procedures — they must fully appreciate their purpose," he said.

He recalled an apocryphal story illustrating the point: "A colleague went into a government agency and at one cluster of desks saw a line of 'bobbing bird' toys. The system locked out the user if they didn't touch the keyboard for a certain length of time, and required them to re-input their password. The 'bobbing birds' were lined up next to everyone's computer so that they would tap the 'enter' key every 30 seconds."

The underlying beliefs of staff can be at odds with security policy, he said. "People tend to have a 'What's in it for me?' attitude. For example, some people may feel that it's fine to share passwords if it makes the business tick over, their attitude being that business is more important than security," Hansford said.

"Companies need to assess people's security training needs, which includes having to elicit how security 'aware' they are," he said. "Awareness is not just about education and training, but is also an appreciation of, and a motivation to support, an issue."

An IBM security expert emphasised the need to monitor personnel to maintain security levels.

"Personnel security is not just about initially screening and vetting employees, but it's also about monitoring the guy who might have personal problems," said Julian Lander, IT security programme manager with IBM. "If their work performance isn't right, they may be involved in drug or alcohol abuse, or if they have an overelaborate lifestyle — which I've seen in the past — that can indicate possible security problems."

Lander argued that security procedures need to recognise the human factor. "Security is about people. Speaking generally, the way to address the problem is by coaching, mentoring or counselling — all the soft skills that HR has. You have to work with HR to maintain a successful security policy," Lander said.

According to Hansford, security standards become harder to maintain as more staff work remotely - noting that more than half of all UK businesses currently allow staff remote access.

"As more staff work remotely, physical security is difficult to achieve. At the end of the day (employers and security professionals) won't be there, so procedural security needs to be got right," he said.