saahil goel information security and awareness amongst top management

8/14/2019 Saahil Goel Information Security and Awareness Amongst Top Management

1/12

Information Security AwarenessAmongst Top Management

Joseph M. Katz Graduate School of Business November 26, 2007

University of Pittsburgh

Information Securityhasincreasingly become acritical IS managementissue amongst businesses.Majority of the problemarises because of lack ofproper understanding

amongst business and ITleaders of negative effects oflack of informationsecurity

Author: Saahil Goel


2/12

Page 2 of12

Executive Summary

nformation is the lifeblood of almost every organization in todays electronic communication

oriented world. IT has changed its position drastically from once being a support function tobecoming the chief business driver. Even though information systems are so heavily relied

upon by businesses, the same kind of importance is not given to securing this information. While

it seems obviously logical to protect information which is so sensitive to the workings of manycompanies, in reality many companies do not consider information protection to be a critical

issue.

Most of the issue exists because of the attitude that business leaders and decision-makers have

towards information security implementation initiatives. Most business leaders view informationsecurity as a purely IT initiative rather than a company-wide one. Further, ignorance about the

devastating effects that lack of information security can have further exacerbates the problem. By

not investing in spreading (and learning) information security awareness, businesses expose

themselves to various risks such as lawsuits, loss of customer trust, loss of business, loss ofsensitive information to competitors, etc.

Business leaders need to understand that information security is as important as obtaining the

information in the first place. This is especially relevant for businesses in the financial services

industry. Companies in the FSI sector have sensitive customer information, loss of which notonly affects the reputation of the company but may also cause actual financial losses to the

customer. Also, because most transactions are electronic in the current banking environment, a

hole in boundary protecting information can cause a lot of damage. Businesses need to make surethat information security decisions go hand in hand with all business decisions. For example, if a

company is undergoing a merger with another company, it becomes imperative that information

security considerations are given as much importance as is given to the actual consolidation oftransactional and profile data from both companies. Also business leaders need to be maderesponsible and accountable for heading information security initiatives in companies rather than

this responsibility being solely in the reigns of the information technology departments.

Information security training is also something companies are embracing. However the rate of

adoption is not very encouraging. Top management needs to ensure that in addition to learningabout information security themselves, they also make the need for following stringent

procedures and policies felt within their companies - right from the top to the bottom-most

employees in a company. The threat posed by leakage of information can happen at any verticalin an organization; it is up to the business leaders to make sure that their attitude and their

decisions support their organizations ability to counter this threat at all levels. Not only should

robust and technically advanced information security technology be implemented, it should bekept current and should be utilized to its maximum potential. Not only can information security

implementations help companies prevent disasters that may be caused by information

compromises, it can also help them save money and in some cases provide them with

opportunities for additional business.

I


3/12

Page3 of12

The Issue, context and motivation

y and large, every organization has had their share of breach of information security.Information security breaches can be both internal and external the former being the

more dangerous kind. Internal breaches are of a higher concern since the attacker (orhacker) will have relevant information about the company and will know where the loop-holesexist. Other cases in which breaches arise could also be unintentional. In fact, awareness about

information security is the key to reducing if not eliminating losses caused by compromise in

security. Employers must take on the responsibility of training their employees about the possible effects of irresponsibility on their (employees) part towards following security

guidelines. Further, business board members themselves need to be aware about the potential

consequences of information security violations can have.

With strong government regulations around security in organizations, such as Sarbanes Oxley

2002, organizations have taken measures to comply with regulation. However, awareness and adrive to protect information are still lacking. Organizations have been taking the reactive

approach to solving information security problems rather than a proactive one. This is harmful in

the long run for organizations. For example: all financial services companies, such as banks,insurance, trading companies, etc. maintain all their customer data online. If this information was

to get in the wrong hands, the company could face a severely hurt reputation, lack of trust from

its customers, lawsuits or even bankruptcy. Apart from saving a company from these troubles, awell implemented information security system also adds value to companies by providing cost

benefits by enabling efficiency in the workplace.

From the 2007 Global Security Survey conducted by Deloitte Consulting LLP, 71% to 89%

financial services companies across the globe feel that security has risen to the attention of thecorporate board members as a critical area of business. However, only 0% to 18% financial

services companies reported that their information security strategy is led and embraced by lineand functional business leaders. Hence, information security is currently regarded purely a

technology initiative.

The real challenge with information security is that of spreading awareness and concern aboutinformation security to the business leaders in every organization so that it is given key

importance in business functioning. Further, with increase in volume of businesses both

vertically and horizontally, complexity of technology and enterprise solutions and the globalnature of the economy also lead to highly complex information security requirements and the

risks that come along with not implementing the same.

Information security is one aspect of technology and risk management which affects all

organizations. Even though it might affect some organizations more than others (banks,insurance, government, universities, aviation, logistics, stock trading, online retailing) eventually

it will have major impact on all kinds of organizations. In fact, governments in many countries

other than the USA have not taken deep initiatives to move towards e-governance and electronic

citizen maintenance yet but it is imperative that at some point they will. To take an exampleeven within the USA, there is discussion about digitizing all health records across all hospitals

and universities in the United States to better serve patients and to make medical research easier

B


4/12

Page 4 of12

by collaborative knowledge sharing. This initiative will require strict security controls as any

intended/unintended tampering/modification to information in this situation could mean the

difference between life and death.

Of all the issues related to information security, Identity and Access Management is usuallyconsidered one of the key issues from an organizational view point. According to Deloittes

survey mentioned above, the top five initiatives of financial services organizations are Identity

and Access Management, Security and Regulatory Compliance, Security training for awareness,governance for security and disaster recovery and business continuity. Identity and Access

Management will become all the more important and difficult with governments implementing

systems to authenticate citizens using centralized stores of database. Already governmental

organizations such as the Federal Bureau of Investigation and Central Intelligence Agency havecentralized and highly secure databases of information on criminal activity across the world.

Within organizations information security (particularly identity and access management) is

difficult to implement thoroughly mostly because of awareness and training. For example, eventhough a companys IT department would drive management towards implementation of such a

system, unless management sees a potential cost-saving such an initiative, they are not too

supportive of it. This mindset needs to change. Top-level management needs to be more awareabout the potential risks that they are open to and should openly adopt technology to secure them

from this risk.

Another difficulty arises because of the complexity and scope of information security systems.

Before Sarbanes Oxley was enforced, most organizations worked with multiple systems(sometimes hundreds) having multiple digital identities. The digital identities were human

controlled and de-centralized to various systems. As a result, people could have accesses to

resources which should be normally restricted. Sometimes this was a result of pure carelessness -

human error. At other times, it was fueled by malicious intentions. To further illustrate theproblem of accurate role definition with respect to digital identities consider this example - a

system administrator, who is relatively low in the organizational hierarchy as compared to thesensitivity of the information being protected, had all the rights in the world to go into anysystem and grant anyone any access. This particular example illustrates that information security

troubles need to be captured at the root level. In some companies this may even mean

organizational re-structuring. Some companies who were converting to digital informationsecurity systems post SOX, even proper audit trails were not in place. This gave rise to many

information security breaks and leaks some which even went unreported. As a result of

Sarbanes Oxley, organizations scrambled to secure their information and infrastructure.

While larger corporations are able to do this by investing huge amounts of capital in enterprisewide systems which help efficient implementations of technology risk management solutions,

many of the smaller companies compromised with self-built systems which are not long lastingnor provide any value addition to the companies. Even though technology risk management,information security, identity management and privacy are recognized as issues of importance by

the government and some business leaders, there are no concrete guidelines in place on how deep

the information security infrastructure of a company needs to be. As a result of this companieshave gone for external certifications such as the ISMS (ISO 27001 by BSI) so that they have

reputation and standing in the market.


5/12

Page 5 of12

Again, for medium-sized and smaller organizations getting such certifications is a challenge.

Firstly, their budgets do not allow such implementations and secondly because of the way their

current systems are setup, it is very difficult to be able to change these systems to comply withthe guidelines set forth by this certification. For example, to be able to centralize all identities

from all applications running within an organization, to have a single audit trail of each and

every identity, a centralized access control matrix is a difficult task. Also important is forcompanies to be able to grant relevant accesses to people automatically rather than by allowing

de-centralized control of these decisions. Many organizations still follow the process where an

employees hiring manager is responsible for making these decisions. A risk averse systemwould be one in which these accesses are automatically granted to relevant individuals with very

little human intervention. Any human intervention that takes place should be under the wing of a

risk management department within a company which can judge the impact of any change to thestatus quo of the access control matrix. Further, there should be external auditing enabled for

these access controls by external agencies and results monitored by governments. This poses a

great challenge for SME (small and medium enterprises) as well. To achieve this target, a highly

controlled input of data is required (such as Human Resources which create an employees

record on joining the company). Also is required is a very high stress on quality of data is beingentered into the system since a small mistake can have a major impact to the organizations

security. For example, companies where employee accounts are manually controlled might fail tode-activate an employees account long after he/she has left the company. With the availability

of company employee intranets over the internet and with high attrition faced by many

organizations, a devious employee could easily retrieve confidential information such as acompanys plan for a new product line, or a companys new initiative against competition and

make that information available to its competitors causing the company to actually lose profits.

In conclusion, the chief issue around information security is the lack of awareness amongst

employees, non-technology departments and leading management in a company. This is

surmounted by the growing size of companies and the need for extremely complex enterprise

solutions systems. Further, there is not enough support from the government in terms ofenforcement or existence of technology-risk specific guidelines. Also, initiatives such as identity

management can help companies save money and in some cases even make money. Therefore alack of awareness of such initiatives is causing companies to incur heavy opportunity costs and

putting them at competitive disadvantage.


6/12

Page 6 of12

The Position and perspective

s is clear from the above discussion the chief reason for the lack of existence of security

control systems revolves around awareness of information security. For people to feelthe need for awareness, awareness of the need for information security awareness is

required. For example, human resources in a company may not view information security ascritically as would a person in technology for the simple fact that they do not have the

awareness about the potentially devastating effects their actions could have. The training andawareness issue can only be resolved by government controls, management focus and adequate

training for all employees in a company. Internal certifications on information security should be

made mandatory for employees within a company as part of training for information security.

The role of government is vital in the establishment of information security initiatives. Along thelines of Sarbanes Oxley (2002) in the USA, J-SOX Japans Financial Instruments and

Exchange Law will be effective from April 2008. This is causing Japanese financial services

companies to standardize their information security processes and systems. This examplehighlights a trend towards government compliance in other parts of the world in the future and

towards the fact that a government decision on information security can be very influential inpushing organizations towards implementation of effective controls.

The ignorance and indifference displayed towards security is also portrayed by the article

Businesses More Concerned About Mobile, Remote Security, But Still Ignore Training inInformation Week

i. Lack of information security awareness not only causes direct impact such as

breaches and the negative effects associated with that, but also causes users to become

complacent about implementing security at all. This could lead to a vicious circle where lack ofinformation security leads to further complacency towards learning about it leading to a

potentially dangerous situation. Further, with an organizations employees uneducated about

security, it becomes business unit leaders to take an initiative and hence the top management

follows suits it has a cascading effect. Information security awareness has to begin at thelowest level and needs to proliferate its way to the top management for any results. According to

Jones, even though sixty percent of organizations reported an increase in security issues relatedto mobile corporate users over the last 12 months, most companies ignore security training.

Further only 10% of the companies plan to implement security training over the next 12 months

(according to the research from TNS Prognostics). In fact, the article also mentions that 90% ofthe companies who implemented information security awareness training have seen a reduction

in the number of information security breaches.

Besides the problem of lack of awareness amongst business leaders about the various

technologies available, the devastating effects lack of information security, the potential savings

that certain kinds of implementations can generate business leaders also need to check theirattitude towards information security and systems implementations in general. Not only are

many executives unaware of the weak security that exists within their organizations, they are

also unwilling to implement better security to protect their businesses unless they see a clearlytangible economic advantage in the effort. As described in the article Info Security from the

Ground Up in Business Weekii, even though CEOs have made considerable investments for

security infrastructure following the September 11 attacks, they still view security as a sunk cost.That is, they do not find any real benefit to business from implementing security. Management

A


7/12

Page 7 of12

still needs to know (and measure) the economic benefits that would come of out implementation

of enterprise information security system. The fact that information security implementations do

offer economic benefits in savings (from potential law suits, bankruptcy, leakage of confidentialinformation and fraudulent transactions) and in increasing productivity, efficiency and brand

equity, it is still hard to sell information security to management. This brings out an underlying

difference of opinion and perhaps the unwillingness of business leaders to learn aboutinformation security holistically. The problem could lie in the fact that the current information

that is available is not easy to understand for a non-IT individual. As pointed out by Gary S.

Miliefsky, one of the seven best information security practices is to deliver corporate securityand awareness training and make it simple enough that an 8

thgrader can understand it

iii. The

problem could also exist in the way information security is presented to management. Unless all

business unit leaders are involved in a security implementation initiative at a company, topmanagement will not take notice of it. If each business unit leader is made aware of the potential

benefits of security and the savings it could have for their unit, it would be easier to approach top

management with support from senior management.

Even though there is lack of security awareness amongst management in most industries, the

financial services industry has a higher information security spend than other industries. It alsoemploys latest technologies for protection of their information. Since the primary goal of a

person trying to compromise security is money, financial services institutions become prime

targets for such attempts. FSIs also have most of their operating data electronically availableover the internet since customers directly deal with these companies using corporate portals.

Further, financial service companies are able to write off information security expenses in

linkages with business processes. The FSIs report the lowest cyber-crime rates amongst allindustries and have employed technologies such as Identity Management and intrusion detection

tools. According to The Global State of Information Systems 2006 report by CIO, security

executives still need to persuade top management to implement information securityiv

. It mightbe easier for security executives working in the FSI as they can tangible measure the benefits

from security implementations and the addition of value to shareholders. In fact, FSIs are one ofthe few industries which measure the result of information security implements in return on

investment and in potential impact on revenue terms. Further, FSIs are governed by regulationssuch as the Sarbanes Oxley Act of 2002. The report further states that since regulations play such

an important part in healthcare, government and education sectors as well, those too would

employ high security. But that is not the case. The government and healthcare sectors benchmarkthemselves with other sectors (non FSI) to keep abreast of the information security trends. The

above discussion in the report outlines two important results firstly, companies still have

Security Executives doing the selling work to top-management. Even though it might workin the FSI industry, it will not work as well in other industries where it is hard to justify the cost

of implementation. Secondly, it shows that there is a problem of lack of awareness amongst all

sectors of work some which even need critical attention to security and do NOT have budgetconstraint problems such as the government. There is either a lack of information security

awareness in certain sectors or if the information is there, it is not understandable or it not

tailored according to its audience.

Even though information security currently affects the financial services industry with respect to

government regulations, other industries will soon be impact by this. The lack of informationsecurity can have devastating impacts. For example, if a person higher up in the organization,


8/12

Page 8 of12

having accesses to very sensitive data about the organization is not careful about his access

controls and/or standard security procedures he/she could inadvertently cause a breach. For

example, a fund manager for a mutual fund company has relevant financial data on his system.While logging on to the corporate intranet, he is a victim of a phishing attack where his

credentials are compromised and intercepted by a hacker helping a competitor. All information

about the mutual fund which is being electronically shared would be compromised. If themanager was trained specifically for use of certain company systems, he/she could have followed

certain checkpoints. For example, some companies have a unique token generated on the login

page of sensitive software which is recognized only by the user this is an attempt to foil phishing attacks. Since there are other sophisticated ways of extracting access credentials,

companies are also moving towards token-based and bio-metric authentication measures as well.

For example, some companies require certain employees to swipe their fingerprints over a readalong with entering their access details into a system. This way, even if somebody is able to

obtain the access details in text, without the bio-metric authentication access would be restricted

to highly sensitive applications. Since bio-metrics may be considered too extreme for some cases

(because of the cost involved and the complexity of implementation), other alternatives such as a

physical token with a random number generator can also be employed. HSBC currently uses thistechnology for all its customers in Asia who hold their credit cards. Without a combination of a

correct username, password and a random number generated every 30 seconds or so by the hand-

held token device a user is not allowed to gain access to the online system.

Information security implementations not only protect companies from breach of security and

loss of reputation, business, etc. but can also help companies save and in some cases actually

make money if implemented in a proper and recommended fashion. Companies may lose largeamount of money by facing lawsuits and by placating irate customers both of which arise out

of a breach in security. Companies may also go bankrupt if critical information reaches their

competitors and they capitalize on a life-saving plan for a particular company. However, systems

such as identity and access management in the information security domain can help companies

generate and save money. For example, a simple IAM system which brings down the number ofhelpdesk calls related to password resets, say, can save some companies about 30% of their

helpdesk costs. Further the lost employee productivity due to forgotten passwords, thoughimmeasurable, also comes down and hence increases overall business productivity. By enabling

robust security systems companies can also allow customers to directly interact with the

company cutting down on costs of several physical layers which exist currently and enablingsophisticated automation. For example, customers may be able to purchase products such as

health insurance directly online without actually interacting with anybody. This not only brings

down costs of additional manpower but also enhances the customer experience thus leading tointangible benefits as well. Using systems for federation companies can drastically reduce

transaction costs which would exist without it. Federation allows two companies to conduct

business in a seamless fashion (with respect to connectivity) even though they are organized astwo separate entities. This is useful when companies work on collaborative projects or when

there are partial mergers for a particular project as an entire revamp is not required in these

cases.


9/12

Page 9 of12

Recommendations

he first step towards implementing information security is to create awareness amongst

top management of viewing information security spend not as a sunk cost but as an

investment. Only if this awareness exists will business leaders take proactive stepstowards implementation of such systems. Also, involvement of information security teams in

critical business decisions is something that should be engrained in business leaders minds.

Information security can be effectively leveraged only if it is built into the systems and processeswithin a company rather than be treated as an additional function. It is best thought of as a

wrapper for all systems and processes thereby allowing most efficient streamlining and robust

and secure computing environments.

To successfully make business leaders aware of information security and its advantages, thecommunication gap between top management and security professionals needs to be reduced.

Also since business leaders are not involved directly in heading/managing information security

initiatives, information security is usually less aligned than it can be from business objectives leading to a greater gap of communication. Thus, business unit leaders and top management

should actively be involved in heading information security projects and should make key

decisions in this area the implementation may be left to the security personnel.

In addition to improvement in communication amongst various parties a corporate culture needs

to be established which encourages computing in a threat-free environment. This will not onlyimprove the attitude of a companys employees towards security but also that of the top

management. A companys employees follow what the leaders have to say only when security

is demonstrated as a critical element by way of top-down pressure will it be taken as seriously as

it should.

Businesses also need to realize that information security is something that should be

implemented as a proactive measure rather than a reactive one. For this there are numerous

examples of mistakes made by other companies which have caused them millions of lost dollarsalong with severed reputations. To this effect, governmental regulations will help a lot.

Therefore, in addition to corporate responsibility towards security measures, governmental

support and enforcement should be made stringent and more detailed. Currently companies arecertified by external agencies (ISMS/ISO27001). In future, the government could partner with

these agencies and make these certifications mandatory for certain kinds of businesses. This will

not only ensure that security is actually implemented but will also send out a message to

employees, customers, stakeholders and top management of other companies about how critical

security is to a companys success or failure.

Since information security awareness is so critical, some of the possible specific steps that can be

taken are outlined below:

a) Top Management Buy In and Awareness: Top management needs to understand what therelevant business savings and cost advantages are of using information security systems.Currently enough material and/or training modules do not exist for measurement of

benefits from security systems implementations. Since such information does not exist, it

T


10/12

Page 10 of12

is not easy for corporate leaders to imbibe purely technical information easily. Such

information material and return measurement techniques and tools should be created

which would then generate the relevant material and help create two kinds of knowledge technical knowledge and implementation knowhow and business benefit knowledge,

threat knowledge, understanding risk assessment, etc.

b) Employee Training: apart from top management being aligned to a companys securityneeds, the next most important entity is an organizations employees. Most security breaches occur from within an organization both intentional and unintentional.

Incentivized training programs for employees should be incorporated within

organizations. Mandatory internal certification programs should be organized and

surprise internal audits should be conducted. Defaulters should be penalized to showseriousness. External security certifications (such as Certified Ethical Hacker and Cisco

Security Certifications) can be offered to technical personnel within the company for

free. This would serve a dual purpose encourage employees to take these certificationsand would help the company by creating a culture which is aligned to information

security and of course, industry level security systems as well. Information security

training should be imparted to employees in all departments legal, HR, operations, IT,accounts and finance. This will ensure that the knowledge penetrates even non-technical

verticals within a company. Employees should be made aware of the role they have to

play in the security process.

c) Stringent security policies: It is amazing that even after availability of the technicalknowhow and the right tools companies still dont implement stringent security

policies. Simple security policies such as non-allowance of default passwords and

changing passwords every certain time interval does not require heavy investments just

the right mind-set towards security. Companies should take the technology that theyalready have and make optimal use of them. Also these policies should be strictly

enforced. For example, if there is a certain process set around resetting forgotten password, it should be followed stringently. No compromise should be made on this process. Such measures will ensure that security policies are not just implemented but

also enforced.

d) Intrusion detection systems and auditing: Even though many organizations have certainkinds of information security systems implemented, rarely do organizations havedocumented breach control processes in place. Specific documentation should be put in

place on effective handling of a situation in which a security breach arises. Specific

people should be made accountable for handling these breaches in a streamlined fashion.Before breaches can be reported, intrusion detection systems should be put in place.

While off-the-shelf products are available for this purpose in the network security arena,not many effective products are available for data security. In-house development orcustomized solutions should be put in place for intrusion detection. Further, auditing and

reporting should be done and analyzed on a timely basis. Once such report could be

maximum number of unique logins on a particular application from one desktop. Overseveral time periods this data would help recognize potentially malicious employees (or

desktops being used) within an organization. Also, failed authentication attempts,

unchanged passwords, maximum length of inactive sessions, etc. Such reports will help


11/12

Page 11 of12

identify users which are insensitive to security both careless and those with malicious

intent. Also, auditing will help maintain a trail of which actions were undertaken by

which employees thereby making corrective action easier. These steps will ensure thatthe training imparted to employees was successfully absorbed and if need be, re-training

should be conducted and/or penalties should be imposed.


12/12

Page 12 of12

References

ihttp://www.informationweek.com/showArticle.jhtml;jsessionid=C4SCFOM3W2ESQQSNDLPSKHSCJUNN2

JVN?articleID=202802456&queryText=information+security+awarenessBusinesses More Concerned About Mobile, Remote Security, But Still Ignore Training By K.C. JonesNovember 5, 2007

A report by The Computing Technology Industry Association describes that despite a rise in the securitybreaches related to mobile computing users (which is increasingly gaining popularity in IT/Consultancysector companies) organizations are complacent about implementing information security or conductingawareness and training sessions for its employees.

ii http://www.businessweek.com/technology/content/apr2004/tc20040413_9762_tc146.htm?chan=searchInfo Security from the Ground Up By Alex Salkever

April 13, 2004

Many CEOs have taken attention to information security post the September 11 attacks and have investedconsiderable amount of resources and money towards this initiative. However, they are still following thereactive method of information security awareness and do not take an active stand on it. Securityspending is still viewed by management as only a cost without any real benefit to core business. This articledemonstrates a clear lack of understanding of information security and its benefits on the part ofmanagement leaders.

iii http://www.networkworld.com/columnists/2007/011707miliefsky.htmlThe 7 best practices for network security in 2007 By Gary S. Miliefsky

January, 17, 2007This article describes ways to improve information security within an organization by providing 7 bestpractices as guidelines which corporations could follow to develop their own guidelines. Even though itdoesnt directly describe the current knowledge about information security awareness, it does make the

reader aware of the current state of affairs in organizations with respect to information security bymentioning the attitudes of people in organizations and the kind of steps that are required to implement it.

ivhttp://www.cio.com/article/24979/The_Global_State_of_Information_Security_/6

The Global State of Information Security 2006 By Allan HolmesSeptember 15, 2006This article is a report on the global state of information security in 2006. It has a section on informationsecurity which highlights the current state of information security and awareness in various sectors such asfinance, education, healthcare and public. It draws an important argument in support for the fact thatmanagement is only concerned with economic benefit from information security rather than a long-termapproach to running a business efficiently and securely.

saahil goel information security and awareness amongst top management

Documents