The cream and jam of information security

Ever found yourself unable to logon because your phone is out of charge and you need to respond to a multi-factor authentication prompt?  Ever wanted to sit a proctored exam and found yourself unable to use your work laptop because you don’t have admin rights on it? Ever wanted to implement something and found your way barred because you haven’t cleared a security threshold, maybe not introducing multi factor authentication to make life difficult for other people?

Information security can be a pain at times. Unfortunately IT systems just don’t know who we are and that our intentions are true. And with the use of Cloud Services becoming more and more prevalent, being able to differentiate between an honest user and a malevolent hacker becomes a higher profile activity. You can see this in the progression of information security standards. Cyber Essentials and ISO27001 introduced controls in 2022 which are designed to check that we are putting appropriate Cloud strategies and controls in place.    

I think most people understand that these controls are there ultimately to help us, through keeping our data safe. But how are they viewed, and how willingly do people go along with them? Or to put it another way, even if our security controls make it easier to do things right than wrong, we probably have considerable power to cause harm to our organisations by misusing data. This is where I’d like to suggest that it is not just what technical controls we use that matter, but also how we educate people. 

Education is a strong thread in ISO27001 and it was going down that path that led us in NIHR CRNCC to focus on it.  We already have various bits of mandatory training to do from our host organisations. Why should we do more ? Well, the generic training will tell us about setting strong passwords and the like, but it won’t tell us which Cloud services we can use, or how to find out whether it is OK to use a new one. We put together a context-specific awareness programme called BE Safe (that was before COVID!) and there is only one question at the end of it: do you know what you need to know to keep information safe in your job? Now I get that more mandatory training is not the most popular answer. I know that it is no one’s favourite task or number 1 priority. I give people plenty of time to do it, and am gentle in chasing those who drag their heels. I also make a point of going to team meetings (by invitation) to talk about it and answer questions specific to their context. 

If BE Safe is the bread and butter, the jam comes with my monthly blogs. These have been a big hit. People at all levels of the organisation give enthusiastic feedback as to how they help them understand information security issues better and say they actually enjoy reading them. How does that work? Well, I try to think as a user and be aware of what can easily go wrong or be misunderstood. I’m part of various focus groups where I hear people talk about getting the best out of our technology, and I use that to feed ideas. I keep an eye on trends and external issues that may be of relevance, and basically try to be aware of what might be topical.

The magic ingredient is thinking of a lateral angle to approach the subject from, and that is the bit people really like. I draw them in by talking about MOTs, road signs and road safety (for example) and then highlight a parallel within information security. Writing just happens to be the medium I’ve used. When I started I wondered if I would have enough to say. 87 blogs later I’ve not run out of ideas yet.

To extend my bread analogy, that brings me to the cream (clotted, of course). I’ve started doing information security briefings at all staff events. Previously when I’ve spoken to groups, I’ve often placed a burden on them, saying something like  “we need you to do this task before the end of the month”.  I wanted to introduce a more positive message while still being thought-provoking. To get my foot in the door and get time on the agenda I promised to limit the session to 2 minutes and asked for the Countdown music to make sure I was held to that. The feedback has been even more positive than for the blogs with the creative approach going down really well. It also  reaches significantly more people. 

Through all of this I’ve made a point of stressing that we want people to ask questions if they are not sure, and people do ask. Yes, there have been near misses, but it’s great that people have the confidence to ask, and that we are able to guide them. 

There are a number of things that have made a difference in getting to this point, and my advice would be:

• Take time to get education right for your context – I didn’t work all this out in a day and some of it has evolved over years. I think it gives it more credibility and a better fit. 
• Listen to what is going on, and adapt accordingly. Think like a user. 
• Try to get people to think out of the box. We all know we shouldn’t fall for a phishing email. How can you put a different slant on this that helps people realise what might trick them?
• Take advice from your education experts – what formats and forums will work in your context?
• ISO27001 has really helped us and is designed to work for organisations of all sizes.
• There but for the grace of God go I! Yes, we should celebrate success (as I’m doing here), but we need to stay aware that we are not perfect, and could be the next cyber victim. That helps to sharpen the mind, and often leads to the next idea.

Or to put it another way:

• Start where you are.
• Progress iteratively with feedback.
• Collaborate and promote visibility.
• Keep it simple and practical.

[Other ITIL Guiding Principles are also available !]

Find out more about Richard’s approach to security education at our webinar Security is your friend on 26th March – free to all members. Richard has family links to both Devon and Cornwall so doesn’t take sides on whether the jam or cream should go on top.