PwC on security awareness; good advice but with a hidden danger
PricewaterhouseCoopers LLP (PwC) has published a new report: Security awareness: Turning your people into your first line of defence. Our current strategy, says PwC,
has been very strongly biased to improving protection, reducing risks and mitigating issues by further investment in technology; solving what is perceived to be a technical issue with a technical solution.
But it clearly isn’t working since
financial losses due to cyber-crime continue to grow and despite major steps forward in technical defences such as anti-malware and authentication systems, credit card fraud and online fraud continue to increase and identity theft is an everyday occurrence.
So PwC starts to look elsewhere, and its eye falls on the user:
According to the Computer Security Institute’s Computer Crime and Security Survey as much as 25% of respondents said more than 60% of financial losses came from accidental breaches by insiders, not external hacks. The survey also identified that less than 1% of security budgets are allocated to awareness training.
This, then, is the solution:
What is required is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against the continued investment in technology and processes…
…Your people are your first line of defence and with their full support, as part of a balanced programme of protective measures, you will be well placed to mitigate the information risks facing your organisation.
Well, you won’t get any argument here! See
This latter article adds an additional argument to PwC’s thesis:
It is not that security professionals cause break-ins, but there is little doubt in my mind that, by raising the bar, we are cultivating smarter, more sophisticated and more effective forms of attack. Much as the excessive and inappropriate use of antibiotics often results in more virulent drug-resistant microbes, so we are seeing the growth of highly-professional technically-brilliant attackers against systems that have been well protected against earlier malware.
C. Warren Axelrod
In other words, being reliant on technology for your security solutions is like chasing your own tail: you’ll just end up going faster and faster getting nowhere. Nevertheless, there is a hidden danger in PwC’s report. It is this: many security experts simply do not believe that it is possible to educate users sufficiently for them to behave securely. Consider this tweet from one of the world’s leading security researchers, Dancho Danchev:
Years ago, I was rock solid that the end user can become security-aware. Today, I think he has to be protected from himself.
But seriously. If you don’t believe that your users can regulate their own behaviour, what is left? You do it for them. You restrict them. You monitor them. You control them. You protect them from themselves.
You can justify this because they are your employees paid by you and working for your company. But just like the society that New Labour created all around us is a mirror of 1984, so this route will be 1984 writ small within your own organization. You may gain a little security but it will be at the cost of the staff sense of liberty and empowerment that leads to content, innovation, active involvement, happiness, and a low staff turnover. And it won’t really work; because you’ll be reverting to that very technological solution that hasn’t worked yet.
So the message you must take from the PwC report is exactly the one they suggest: empower your staff to behave securely; but never shackle them into it.
UPDATE (20 May 2015)
Edited to remove an image of Dancho Danchev at his request.