The three pillars of information security or infosec are confidentiality, integrity and availability, of which the first is the most accessible for most users. Trying to implement infosec controls alongside business as usual is challenging at the best of times. This article explores the challenges in implementing infosec controls. It looks at the potential opportunity that the pandemic has presented for piggybacking onto the natural flow of change that we are experiencing both for working from home and return to work.
In these – sorry I have to say it – unprecedented times we have all had to adapt very quickly to change, grappling with all sorts of different scenarios alongside the emotional and practical challenges.
This rapid and large-scale change has seen many of us realising that maybe the changes that we thought insurmountable, are not, after all.
For instance, much has been discussed about working from home and despite the available technology it’s generally not something many businesses have been willing to completely embrace. The pandemic and ensuing lockdown has shown that not only did working from home need a good reason to be accepted, it also needed context (we’re in lockdown); it needed momentum (could be here for a while and we need to get cracking); and it needed trust that the supporting infrastructures of people, process and tech could be adapted – quickly – and sustained past the period of business continuity.
As a consequence, businesses seem much more relaxed about working from home because they know adaptations are possible; the business won’t fall over catastrophically, the technology holds up and productivity doesn’t suffer.
The primary concern most businesses are actually grappling with when it comes to working from home is availability of the systems – will users be able to access everything they need to, when they need it to avoid disruption? A few tweaks and modifications have answered that question with a resounding yes.
So why is change that involves infosec so hard in normal circumstances? For me there are a number of reasons:
The culture doesn’t support an infosec risk-based approach
Businesses are typically value driven. The people, processes and technology are geared up for efficiency and effectiveness towards the end goal of providing a product or service to paying customers.
Infosec can feel reactionary: bolting measures onto processes that seemingly devalue trust, such as adding another step to login by insisting on authentication, frustrating users and appearing inefficient, pointless and a pain.
The application of technology for information security is usually a reversal of something that has been useful in the past
Suddenly announcing to users that they can’t use the file transfer mechanism that everyone has been using happily for years because it isn’t safe causes confusion and disruption, not only to the user but to their clients and partners.
Alternatives take time to learn, are often not properly introduced and most people these days want an easy fix.
It’s never explained
Unless an infosec-related change is clearly explained, it will be met with rolling eyes and complaints.
As per the previous example, removing functionality without an explanation and without providing an alternative means that those in IT and IS are seen as the enemy, taking away something that was useful and leaving a gap that the users then have to fill, probably by doing something even riskier.
Be empathetic to the process; adding a new step will disrupt learned behaviour and infuriate busy people. So explain why doing this is protecting confidentiality of information and make the responsibilities clear.
It doesn’t have stakeholder support
In a lot of change related to infosec there hasn’t been any contact with the people who use the systems at all and then everyone is surprised when a solution fails, isn’t adopted or people try to find a workaround (e.g. bypassing the admin software controls by installing an app on a different folder to the official apps folder on a Mac).
In fact, this is not a new issue. For years IT and the business clashed over the solutions being implemented by IT until some bright spark decided to bridge the gap and gather requirements from stakeholders that could be reviewed and agreed – the Business Analyst was born.
Technology is not always the answer
In some cases, and with a lot of projects that involve finding a solution, technology is not always the answer. For instance, clear desks are bugbears of a lot of offices, particularly where there is a lot of creativity. Teams need to be able to see work in progress and this could mean that so can everyone else. Rather than implement a one-size-fits-all approach, review the needs of the business and establish protected spaces where teams can leave information up or out that cannot be accidentally seen by clients. Or provide clear rules about classifying information so that teams understand what the boundaries are. Meanwhile the rest of the office clears their desk and locks their screen. I’ve seen windows covered up and locked doors, ‘no-go’ zones for a few weeks where meeting rooms are protected from certain meetings. No solution works for all but often it’s about compromise that enables work to continue.
So how can we utilise the opportunity that return to work now affords?
As we start to look to returning to the office and, importantly, normalising how much we work from home, what should we be thinking about to maintain protection of the confidentiality, integrity and availability of our information? How can we ensure that any bad habits picked up during lockdown are not transferred to the office?
Now is an ideal time to reassert the habits we want individuals to have and provide a fresh context for doing so. We can:
- Review the infosec policy / needs for working from home and make sure users are aware of their obligations for keeping information safe
- Be clear about expectations and the value exchange. Users get that they need to protect client, business and colleagues’ information, much like they protect their own, so use this as a way to frame the risk
- Think about practical matters such as expectations for disposal of confidential documents that have been taken home or are printed at home. Also consider whether users may have used their own equipment, or someone else’s, for convenience and what they should do with the information (e.g. their housemate’s laptop is connected to the printer and so they copied the document over to print it)
- Step up training and awareness and focus on the return to work-related areas, such as:
- Physical security and identification – will everyone be wearing masks, does this compromise security?
- Clear desk/lockable space – helps hot desking and desk cleaning
- Visitor registration and office access – how will personal data be protected and how do you protect those in the office. The visitors may need to be contacted
- Social engineering risk – the eavesdropper listening in as the annoying new security measures and one-way system are discussed in the pub
- Incident management – how do your employees report suspicious behaviour or activity?
- Cyber risk – phishing is on the rise (Source accessed 28th July 2020) and users need to know what to look for and how to report suspicious emails
The most important and useful thing you can do though is to minimise what users have to do.
This is a general recommendation when trying to implement infosec requirements, when trying to introduce any change. Overwhelming users with a long list of new things they have to do on a subject they don’t have any interest in is a sure-fire way to get your infosec efforts ignored.
Creating a top ten list of things users have to do, highlighting what they are, why they’re important and what it means if they’re not done generates a sense of consistency and ensures that all users know what their obligations are.
Marie Bradley is a Governance, Risk and Compliance business analyst consulting on a variety of issues including ISO 27001, return to work practicalities and GDPR.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.