27-10final
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Security Management<br />
Password change<br />
Security advice to staff<br />
changes, John Scott<br />
admits, as the threat<br />
evolves; ‘that means the<br />
advice has to evolve too’.<br />
He gave the example of<br />
passwords. Once, the<br />
advice was to regularly<br />
expire your passwords,<br />
which risked people<br />
forgetting or giving up the<br />
effort; now it’s more about<br />
making sure a password<br />
is long and complex<br />
enough; perhaps random<br />
everyday words that<br />
mean something to you,<br />
put together.<br />
bank of england man on culture:<br />
Toilet talk<br />
Toilet talk<br />
A recent ‘Cyber Security UK<br />
Roadshow’ heard from a Bank of<br />
A recent ‘Cyber Security<br />
England<br />
UK Roadshow’<br />
speaker<br />
heard<br />
talking<br />
from<br />
about<br />
a Bank<br />
of England speaker talking<br />
toilets.<br />
about<br />
He<br />
toilets.<br />
was making<br />
He was<br />
a point<br />
making a<br />
point about the need for<br />
about<br />
more<br />
the<br />
than<br />
need<br />
cyber<br />
for<br />
awareness,<br />
more than<br />
but<br />
cyber<br />
for ‘culture change’.<br />
awareness, but for ‘culture change’.<br />
UNHAPPY<br />
‘Ransomware is evolving<br />
at dangerously fast<br />
speeds and is now<br />
recognised as a very real<br />
threat to organisations<br />
of all sizes.’<br />
Richard Walters, SVP<br />
Security Products,<br />
Intermedia.<br />
He was John Scott, head<br />
of information security<br />
education at the Bank of<br />
England. He suggested two ways of<br />
checking that toilets were in working<br />
order. Either, you say to staff, ‘if you<br />
see a toilet broken, call this number’,<br />
or you employ someone to check<br />
those toilets. Either everyone takes<br />
responsibility if they see a problem;<br />
or you have a compliance department.<br />
What has that got to do with cyber<br />
security? he asked. Answer; personal<br />
responsibility. “Everyone has a role to<br />
play is probably the most important<br />
thing you can tell your staff. If you<br />
help people understand they have a<br />
significant role to play in defending<br />
your company, they will help you to<br />
do that.”<br />
Turn them on<br />
He went on to suggest that IT security<br />
does not help itself. If you don’t<br />
know what’s important, or you offer<br />
security advice without understanding<br />
your business, that may be why staff<br />
don’t care about what you, in IT<br />
security, do. He urged: “Turn on your<br />
human firewall.” Find people who<br />
are going to help you communicate,<br />
in the language of risk. Hence John<br />
Scott talks about toilets; or whatever<br />
works for your staff. He quoted the<br />
five stage process from the cyber<br />
training body the SANS Institute;<br />
from zero to compliance-focused to<br />
promoting awareness and behaviour<br />
change to long-term culture change,<br />
to a metrics framework. He also<br />
offered something simpler; a<br />
minus one, zero, or plus one way<br />
of thinking. Minus one behaviours<br />
are the ones to avoid. Zeros are ok;<br />
you’re complying, but you don’t<br />
get the cookie. Plus ones are what<br />
you want. John Scott came on to his<br />
second toilet story. He recalled that<br />
the toilet at the Bank nearest him was<br />
Outside the Bank of England in<br />
Threadneedle Street in the City of<br />
London. We think of the Bank as<br />
trustworthy and safe; but that takes a<br />
culture, it’s suggested<br />
by an access control panel. Many, he<br />
admitted, will ignore the access panel;<br />
others will reach behind and pull the<br />
door shut, because they realise the<br />
door is meant to be shut, as part of a<br />
physical security model. The real test<br />
of security is when people see that<br />
here and now they can do something,<br />
to defend their organisation. It’s the<br />
task of Security, then, to encourage<br />
that; to show staff those ‘plus one’<br />
behaviours; and recognise and reward<br />
staff when they do.<br />
Cyber seven<br />
He listed a ‘cyber seven’: passwords,<br />
phishing, social media, document<br />
classification, clear workplace, remote<br />
working, and reporting; and suggested<br />
you have policies, and ‘plus one’ and<br />
‘minus one’ behaviours in mind. For<br />
example; don’t share your passwords,<br />
and ask staff to use password<br />
manager software instead. The Bank<br />
of England phishes its own staff; as<br />
do other banks, as we featured in our<br />
July 2016 issue (‘RBS phishes for<br />
who clicks where they shouldn’t’).<br />
Besides, the IT firewall stops many<br />
of the phishing attacks reaching<br />
computer users; and the Bank asks<br />
staff to report suspicious emails,<br />
whether they clicked on them or not.<br />
Mark documents clearly, and dispose<br />
of confidential documents safely;<br />
don’t leave them on your desk in the<br />
evening; and if there’s confidential<br />
things on a white-board, wipe them<br />
off. Or if there’s something left on the<br />
printer; take responsibility. If you’re<br />
working on the train, make sure your<br />
screen is not being overlooked. The<br />
Bank uses two-factor authentication;<br />
hence the advice is to keep your<br />
token (that may give you a one-off<br />
password) separate when travelling.<br />
And report the loss of any devices:<br />
“We want people to tell us about<br />
it. The device is incredibly cheap<br />
compared to the information.” The<br />
Bank cannot monitor everybody’s<br />
social media, but can ask people in<br />
a policy not to talk about the Bank<br />
on social media. Have you done<br />
the online equivalent of an MoT on<br />
yourself? Be aware of what people<br />
are saying about you. “And probably<br />
most important, if you see a problem,<br />
say something. And if you have done<br />
something, tell us.”<br />
Lost on the train<br />
There surely is the crunch. If an<br />
employer punished someone for<br />
losing a file or laptop, the staff would<br />
then think to keep quiet about their<br />
error, and to try to fix it themselves,<br />
or cover it up. John spoke of at least<br />
one instance where someone from<br />
the Bank has lost something on the<br />
train; the Bank was told and was able<br />
to go to the train company and look<br />
at its CCTV and see that the item had<br />
not been touched. The staffer, that is,<br />
had the courage to come forward and<br />
report within 20 minutes of getting<br />
off the train minus the item. How to<br />
get people to come forward like that?<br />
was a question from the floor. “We<br />
tell stories,” John replied, “about<br />
when it worked. The point is, we have<br />
got people to trust us, and we have to<br />
stand by that.” As he admitted, staff<br />
will tell stories of their own and draw<br />
morals, if for instance someone got<br />
the sack for losing something on a<br />
train. More, page 58. p<br />
34 OCTOBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk