Culture and Awareness

A key part of governance relates to culture and awareness. We want people to behave in a way that supports our identity and access management. With threats like zero-day threats, pattern-based systems will recognize some problems, but actually, we’re mostly reliant on human behavior. And we have the term “human firewall”. This is the skill and ability of our users to help prevent issues like zero-day threats through their behavior. And there are different things we can do to help encourage appropriate behavior. We can provide training. And training isn’t a one-off activity. It isn’t something we do once, when somebody joins the organization, then forget about. This is something we do initially and that we sustain.

We should define the frequency of our training and also, maybe, have a test against it. How do we know if somebody has actually paid attention during the training unless there is something some kind of outcome that defines whether or not it’s been successful? So with our training, one size does not fit all. Training relates to the type of role and the type of access that you have within the organization. Quite often we will see organizations having a basic layer of training, a minimum standard, that is then supplemented by additional training that is provided based on what access you have or the type of role that you have – so it’s tiered. The frequency of the training may also differ.

We may have a base level that is annual. But we may have quarterly training for some stuff with particularly sensitive access. When we talk about culture, we’re talking about something that’s more deeply embedded than training. And here, in terms of generating a culture, leadership is critical. We want our leaders to help support a change in the way people think about identity and access management, right down to simple things like, do you hold the door open? So if we have a locked door with a key code or an RFID pass, do we hold the door open for the person behind us or not?

So culture refers to the knowledge, the beliefs, the attitudes, the norms and the values of the people, and their approach to identity and access management. We can help change the culture through the approach of our leaders in terms of their sponsorship, in terms of the way they communicate and what they communicate. We can also help to change the culture through lots of softer activities, things like awareness campaigns, things like posters, messages on the intranet or on screens.

A good way of measuring how important identity and access management is to an organization is to look at how often it’s visited as a standing item on agendas at board meetings. Security, more broadly, as well, this is quite a good barometer. We want to underline the importance of having a robust culture as part of this review. We want to ensure that employees are consulted and that their concerns regarding cyber security are considered, so that there’s a two-way process that end users can feedback problems or suggestions. We want to ensure that we need to be able to capture any messages regarding business processes or strategies and whether or not they work. Are they actually aligned when it comes to operational delivery?

Where we just impose arbitrary restrictions on devices, or where we just implement things without explaining the why, the why we’re doing things, the why we’re implementing these policies or processes, we will see typically very low levels of compliance.

Individuals will not always comply with something that they don’t understand. If it just seems that the way they’re being asked to work is in a more difficult or less supportive way, then they will evolve better ways of working, as they see it, around any controls that we have. So a poor company culture can open the floodgates to security vulnerabilities. I’ve seen examples of people who’ve been asked to work in a very, very strict environment, and the way they evolved solutions around that was to email confidential documents to each other between the organizations over the internet. So instead of having a practical, secure approach, these users were just sending data, really sensitive data, out of the organization.

Things like a password policy, as well. Password policies we see password complexity requirements for non-character symbols, uppercase, lowercase letters, minimum password length. This doesn’t guarantee a strong password. We’ll see this. We get passwords that meet complexity requirements but which are inherently weak, for example, January01! with a capital J. Now, that meets the requirements of password complexity. But it’s very easy to guess, very easy to compromise. A dictionary-based attack would find that password pretty quickly. So, by explaining why we’re doing things, if we can get that buy in, things like the passwords that people use, whether or not they write their passwords down, we can start to get a much better response to.

We can get a better buy-in from the organization. Also with governance, we mentioned controls. Controls help mitigate risk. When we have a starting point with any risk, a control helps reduce that risk level to an acceptable level and leaves us with a residual risk level that somebody has chosen to accept, a senior manager has chosen to accept. With controls, typically we class them in three different groups. We have physical controls. These would be controls, for example, fences, which would prevent inappropriate access through the use of a physical barrier. The door example that we gave at the start of the course in section one is an example of a physical control. Administrative controls are our policies, processes, our strategy documents.

Administrative controls are typically directive in nature. They tell us how we should operate, what we must do, what we must not do. Finally, we have technical controls. And technical controls cover the very broad range of logical controls. These are things like identity and access management implemented through the use of password, usernames and passwords, multi-factor authentication. It’s a very, very broad area. Some of these areas will overlap. So for example, if we have an RFID door access system, that’s a physical control but also blends with part of the technical control space.