The biggest challenge to security is people, as security people and employees are not teaching or learning the basics.
Speaking on a panel at the (ISC)2 EMEA Congress in London, Ray Stanton, executive vice president of global services at BT, referred to recent research which found that 93 per cent of breaches were due to human error, and 43 per cent were down to sending email to the wrong people, and he asked why we cannot learn the basics?
He said: “We can learn technology tomorrow, but the next challenge is here and if cannot not get the basics right, it is not what we do and don’t know, it is about how we influence people.”
Former Home Secretary David Blunkett, said: “We need to get the human resource functions engaged so there is induction training for everyone. Outsourcing means we forget that people are not trained to a level of expertise internally, and they will be our most vulnerable point, not just in the mistakes we make like sending emails to everyone, but the vulnerabilities of people who come in and intend to get into the system.”
Stefan Luders, head of computer security at the European Organisation for Nuclear Research (CERN), said that in his world, the most important thing is a change of culture, and the need to get in the mind of people without thinking of security.
He said: “Start a process of changing culture with users to get them to question what they are seeing on devices, phishing messages and once they are questioning it, you have the ball rolling and get more education on how to do things better.”
Stanton agreed that it was “about making it revelant”, while Blunkett said that if we rely on a process and systems approach, then there is no logical recovery when things happen.
“There is some chance of taking it seriously, and if people do it in their private life, then it is quite likely that it will translate into them being aware and taking it into the workplace,” Blunkett said.