The world of information security is, arguably, the fastest evolving sector of the IT industry.
It is no exaggeration to state that new exploits are written every day, and the InfoSec community responds to these threats with no less rapidity. As the field continues to evolve, we can rarely go a few short months without a game-changing exploit dropping, or sensitive, personal information being stolen by malicious agents.
We live in a world where information security is paramount.
We also live in a world of specialization. Gone are the days where companies handle everything 'in-house', a methodology that has given way to the current "third-party vendor" landscape we see in today's B2B world. A company is no longer stranded, alone at sea. Instead, the company finds itself part of a vast fleet, surrounded by ships, each tailored to a specific set of problems.
It is this landscape that has caused an increased interest in information security as a third-party. Trustwave Global Security Report 2018 cited a 9.5% increase in “third-party vendor”-based risk between 2016 and 2017. Hackers are looking for the weak link, and upon finding the first link in the chain strong, they begin to work their way down the line.
As such, third-parties are required to meet, if not exceed, the information security requirements of their client.
Freedom VS Security
One current issue with the world of information security is the vast misinformation that surrounds the subject. A great number of sources suggest that the flow regarding securing information systems follows a traditional (and in my opinion, outdated) work-model. In this model, the CEO makes the decisions regarding the security policy and attempts to enforce them. Anyone who has ever been locked behind a school or library's firewall will be familiar with how distrustful (and frankly; ineffective) this approach can be.
It forces us to think whether it's better to sacrifice some measures of freedom for security. Benjamin Franklin suggested that "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." But then again, Benjamin Franklin never had his Facebook account hacked.
Whilst this 'prison' scenario does fill me with some mirth when thinking of our CEO, Timo, manning a watchtower, casting a careful eye over the 'factory floor' to ensure no one disobeys, this is simply an unrealistic vision of the workplace.
Finnish Business Landscape
A staggering 98.8% of Finnish companies are considered 'small-to-medium enterprises', falling within the 1–50 employee range. This close-knit environment works on an atmosphere of trust.
This leads us into a precarious position, whereby we maintain trust relationships with our clients as well as giving employees the freedom to operate to their maximum potential. InfoSec professionals in Finnish companies perform an odd balancing act.
No blanket measures can be enforced. Not only do blanket measures stifle, if not outright destroy the trust environment required within a modern, Finnish company, they simply do not work.
Security measures cannot counteract social-engineering, nor the addition of vulnerable mobile devices to wireless networks (at least without seriously impeding workflow). Additionally, The Need for a New IT Security Architecture: Global Study, sponsored by Citrix, demonstrates that people from different age groups are vulnerable to different varieties of attack. As such, any overarching measure to prevent the issues with one group would negatively impact another.
We cannot, however, ignore that 68% of security incidents are caused by user error, with an average of 50% caused by simple negligence.
The responsibility for information security is incumbent on every member of an organization.
Steps To Take
The first step in strengthening the the human element against security threats is training. When the responsibility falls on every single person, it becomes paramount that these people know and, more importantly, follow information security guidelines.
As security threats are in constant flux, our guidelines must also change along with them. Ten years ago, an 8 character, alphanumeric password would cut it. Today, thanks to modern techniques and more computing power, 12 characters could be considered a bare minimum. Moore's Law also suggests that, in another 10 years, we may well be looking at 16 or 24 character passwords at minimum.
2. A Secured Toolkit
The most common breach, as well as one of the most dangerous when we talk about the human effect on information security, comes not out of malice but familiarity. The use of tools with known security flaws and defects.
Many IT security professionals will have heard the same. "But I've used <program> for years." Familiarity may cause people to use older, insecure versions of programs for the sake of convenience.
This such a large problem that it's even listed in OWASP's Top 10 list of Application Security Risks for 2017: A9-Using Components with Known Vulnerabilities. Technically, they're talking about server-side applications, but the implications are still very relevant.
3. An Open Conversation
The single most important aspect of information security when dealing with the human element is an open conversation. A flowing dialogue back and forth. In security, an open nature is a virtue despite how this might seem like a contradiction.
We can explain with an example from a cornerstone of security, the VPN.
VPNs are virtual private networks that allow computers scattered across physical space to all connect to the same network. Two common VPN protocols are SSTP and OpenVPN. SSTP is a proprietary Microsoft protocol while OpenVPN is open source.
SSTP's code has never been released to the public, and as such, no independent review of its security can be performed. By contrast, OpenVPN can be confirmed secure by the creators of the protocol, as well as the Open Source Community who have sifted through every line of code.
The open dialog is so important. The closed, restricted approach creates an adversarial workspace. An atmosphere of 'Us vs Them', with Us being the IT security staff and Them being everyone who feels constricted by untrusting regulations.
4. The Environment of Security
The third-party environment is often seen as a wheel and spoke architecture, and from a single point-of-view this is technically correct.
However, when looking at the picture from a higher level, we can see an interlinking of networks and services. Outlook for email. Amazon Web Services as a hosting supplier. Oracle and Salesforce to supply our Marketing Automation platforms.
Any company, even a third-party, requires the interlinking security provided when each and every link in the chain lives up to the same security standards.
While information security is incumbent on every member of an organization, so too is the responsibility for reporting breaches. Once an employee is taught the rules, it is on them to ensure they follow them, and to report any breaches they may notice. As before, it's an environment of trust, and trust flows both ways.
This, by no means, suggests that the job of information security is over with training. Not only does the InfoSec professional have to act as the interface for the open conversation we discuss before, they also must monitor the networks, servers, and even the usage of IT devices.
As the Russians have it: Доверяй, но проверяй. Trust, but verify.