It’s a struggle to raise awareness

Wander around many organisations, and by the water cooler or the noticeboard, you will probably see that someone has made an effort at raising awareness of security.

On desks, you might find a mouse-mat that warns against keeping your password secure, and not writing it on a Post-It note. Equally likely, it will be covered by papers, and its message invisible. Or ignored.

The chances are that within this organisation, although the efforts at security awareness may be visible, real long-term culture change will be absent; measures will be temporary, not permanent; and success will be limited, not all-embracing.

Consequently, the security risks that affect the company's business will continue. White boards will continue to have details of the most recent meeting available for all visitors to see, and staff will chat about company business in public places with no thought of who might be listening and able to overhear their conversations.

The problem with security awareness is that it has always been seen as an add-on to existing practices. In fact, it should be as integrated within the business as the personnel department.

Brian Collins, a security specialist, and Professor of Information Systems at the Royal Military College of Science at Cranfield University, believes that everyone must get to grips with security awareness, because in the fast-moving, just-in-time nature of business, we are all now interdependent on each other to follow the rules.

"We expect people who we may have working relationships with to follow the rules on information hygiene, just as we expect people to follow the rules of personal hygiene, or the rules out on the roads. If one person fails to follow those rules, everyone else can suffer."

According to the DTI's 2004 Security Breaches survey, about a third of UK businesses now have a security policy in place. But all too often the policy is out of step with current business practices, or worse, the policies are either not communicated to the staff, or they are communicated in a language that hardly any of them can understand.

But in some companies, attitudes are changing. Martin Smith, who runs a company specialising in security awareness, insists that security is not an IT problem, but a people problem.

"If you look at the causes of security problems, it's always down to human error. People are always happy to follow rules so long as they know what those rules are. But in most organisations, security awareness is very poorly addressed. There are too many security professionals who see it as a lightweight issue, or as an add-on."

Smith's company, The Security Company International, is now working with organisations such as Reuters, Scottish Power and ABN AMRO to turn their security policies into soundbites and language that their staff can more readily understand, allying it to each employee's daily business routines so that those soundbites are understood and acted upon.

Smith's development of his i-Wareness suite followed an approach by ABN AMRO around two years ago. Smith developed an intranet-based Knowledge Zone, where all the clients' rules and procedures are bespoke-written and accessible at the click of a button, supported by an outreach programme that has been designed to drive staff to the Zone.

This approach follows on from an earlier emphasis on security awareness through computer-based training (CBT) and, subsequently, e-learning. Currently, a one-size-hits-all security message, whether delivered on CDs or via the web, is being superseded by bespoke solutions that are available on the desktop, accessible to everyone, and backed up by screensavers and other triggers that drive employees to their security portal.

There are a number of companies already offering consulting and training services in security awareness in a number of formats, either hosted, online, on an intranet, in a network, or via CD-Rom.

These include Easy-i, which produces For Your Eyes Only, an hour-long e-learning program to raise awareness and measure the level of understanding of information security. Issues covered in the program include entry control, clear desk policies, secure disposal, passwords, and security out of the office, (www.easyi.com/products/fyeo.asp).

Another company, Insight Consulting, offers a two-day course on how to develop a successful security awareness programme. The course is aimed at the employees who are responsible for communicating information security policy to staff, including information security staff and BS 7799 project managers, as well as any staff involved with internal audit and human resources, (visit www.insight.co.uk/training/te_awarenessprog.htm). Insight also provides an intranet-based option, focusing on security awareness, called the Information Security Intranet Solution.

"Traditionally, security awareness has been about 'push', pushing material out to people," says Smith.

"But we are making it 'pull'. You tell people where the information is, and they go and pull it down. It's in the form they want and need – real material put over in the language and style that their companies use.

"That information has been crafted from our clients' own standards, guidelines, policies and technology. And we make all of that information available. We're not just pushing the material out willy-nilly; our clients' user communities are able to pull it down and use it as and when they need."

Smith insists that, so far, we have educated users about the dangers, but not given them the solutions. "People ask themselves 'So what do I as a user do?'. That's where the Knowledge Zone comes in. And we use things like screensavers in an outreach programme to drive people to it. All organisations have a different look and feel, but everything is standardised around the headings 'Your Information', 'Your Computer', 'Your Office', 'Yourself'," says Smith.

The culture of organisations in their approach is particularly important in the battle to gain security awareness. Iain McLeod, a director at Easy-i, believes that success depends on getting the message across in the right way.

"You have to give people an incentive, because they're always too busy. And you have to get that message across in the culture of the organisation. It all comes down to how you word things – some people will mandate, others will request, and some prescribe a message. The key is to engage the user so they own the issue.

"People need to recognise that it's all about promoting buy-in for the individual. The approach may not only depend on corporate culture, but geographic culture too. For example, the culture in Singapore will be different to, say, Italy or Spain."

One of the benefits of adopting the 'Knowledge Zone' approach is the management information that companies can gain from the security awareness programme.

"You can see who has been accessing the system. You can check usage by department, you can track who has completed modules, whether they have been tested on it, and whether they have passed. And if things go wrong, you have some proof that those people were aware of the particular security issue," says Smith.

Awareness can also be made a significant part of staff reviews, according to McLeod.

"You can build knowledge of awareness into performance appraisals and key management performance objectives. People have got to prove they're comprehending and compliant."

Smith insists making security awareness work is about changing behaviour. "If you want to email some information to someone outside the company, you should ask yourself 'Can I email this? What rule should I follow?' Checking out Safe Use of Email in the Knowledge Zone would tell you, yes, you can. But you need to activate the 'Prevent Copying' option."

Are things getting better? McLeod, whose Easy-i company has worked with organisations worldwide, is not so sure that security awareness progress is being made across the board.

"There are still a lot of companies playing lip service to awareness. They believe that if they have a policy and have distributed it to all staff, then that's enough. They're complacent. Security awareness is a moving target. And each new technology – mobile, PDAs, or whatever – creates a new threat.

However, Smith believes that an approach that provides user-friendly policies and soundbites for staff, backed up by an outreach programme, can pay dividends.

"Companies do lose interest, it's true. And policies, projects, and people can all change. But we track the course of the awareness initiative for years to come, providing a navigable library of everything that you'll need to make practical security work."