27-10final

Security Management
Password change
Security advice to staff
changes, John Scott
admits, as the threat
evolves; ‘that means the
advice has to evolve too’.
He gave the example of
passwords. Once, the
advice was to regularly
expire your passwords,
which risked people
forgetting or giving up the
effort; now it’s more about
making sure a password
is long and complex
enough; perhaps random
everyday words that
mean something to you,
put together.
bank of england man on culture:
Toilet talk
Toilet talk
A recent ‘Cyber Security UK
Roadshow’ heard from a Bank of
A recent ‘Cyber Security
England
UK Roadshow’
speaker
heard
talking
from
about
a Bank
of England speaker talking
toilets.
about
He
toilets.
was making
He was
a point
making a
point about the need for
about
more
the
than
need
cyber
for
awareness,
more than
but
cyber
for ‘culture change’.
awareness, but for ‘culture change’.
UNHAPPY
‘Ransomware is evolving
at dangerously fast
speeds and is now
recognised as a very real
threat to organisations
of all sizes.’
Richard Walters, SVP
Security Products,
Intermedia.
He was John Scott, head
of information security
education at the Bank of
England. He suggested two ways of
checking that toilets were in working
order. Either, you say to staff, ‘if you
see a toilet broken, call this number’,
or you employ someone to check
those toilets. Either everyone takes
responsibility if they see a problem;
or you have a compliance department.
What has that got to do with cyber
security? he asked. Answer; personal
responsibility. “Everyone has a role to
play is probably the most important
thing you can tell your staff. If you
help people understand they have a
significant role to play in defending
your company, they will help you to
do that.”
Turn them on
He went on to suggest that IT security
does not help itself. If you don’t
know what’s important, or you offer
security advice without understanding
your business, that may be why staff
don’t care about what you, in IT
security, do. He urged: “Turn on your
human firewall.” Find people who
are going to help you communicate,
in the language of risk. Hence John
Scott talks about toilets; or whatever
works for your staff. He quoted the
five stage process from the cyber
training body the SANS Institute;
from zero to compliance-focused to
promoting awareness and behaviour
change to long-term culture change,
to a metrics framework. He also
offered something simpler; a
minus one, zero, or plus one way
of thinking. Minus one behaviours
are the ones to avoid. Zeros are ok;
you’re complying, but you don’t
get the cookie. Plus ones are what
you want. John Scott came on to his
second toilet story. He recalled that
the toilet at the Bank nearest him was
Outside the Bank of England in
Threadneedle Street in the City of
London. We think of the Bank as
trustworthy and safe; but that takes a
culture, it’s suggested
by an access control panel. Many, he
admitted, will ignore the access panel;
others will reach behind and pull the
door shut, because they realise the
door is meant to be shut, as part of a
physical security model. The real test
of security is when people see that
here and now they can do something,
to defend their organisation. It’s the
task of Security, then, to encourage
that; to show staff those ‘plus one’
behaviours; and recognise and reward
staff when they do.
Cyber seven
He listed a ‘cyber seven’: passwords,
phishing, social media, document
classification, clear workplace, remote
working, and reporting; and suggested
you have policies, and ‘plus one’ and
‘minus one’ behaviours in mind. For
example; don’t share your passwords,
and ask staff to use password
manager software instead. The Bank
of England phishes its own staff; as
do other banks, as we featured in our
July 2016 issue (‘RBS phishes for
who clicks where they shouldn’t’).
Besides, the IT firewall stops many
of the phishing attacks reaching
computer users; and the Bank asks
staff to report suspicious emails,
whether they clicked on them or not.
Mark documents clearly, and dispose
of confidential documents safely;
don’t leave them on your desk in the
evening; and if there’s confidential
things on a white-board, wipe them
off. Or if there’s something left on the
printer; take responsibility. If you’re
working on the train, make sure your
screen is not being overlooked. The
Bank uses two-factor authentication;
hence the advice is to keep your
token (that may give you a one-off
password) separate when travelling.
And report the loss of any devices:
“We want people to tell us about
it. The device is incredibly cheap
compared to the information.” The
Bank cannot monitor everybody’s
social media, but can ask people in
a policy not to talk about the Bank
on social media. Have you done
the online equivalent of an MoT on
yourself? Be aware of what people
are saying about you. “And probably
most important, if you see a problem,
say something. And if you have done
something, tell us.”
Lost on the train
There surely is the crunch. If an
employer punished someone for
losing a file or laptop, the staff would
then think to keep quiet about their
error, and to try to fix it themselves,
or cover it up. John spoke of at least
one instance where someone from
the Bank has lost something on the
train; the Bank was told and was able
to go to the train company and look
at its CCTV and see that the item had
not been touched. The staffer, that is,
had the courage to come forward and
report within 20 minutes of getting
off the train minus the item. How to
get people to come forward like that?
was a question from the floor. “We
tell stories,” John replied, “about
when it worked. The point is, we have
got people to trust us, and we have to
stand by that.” As he admitted, staff
will tell stories of their own and draw
morals, if for instance someone got
the sack for losing something on a
train. More, page 58. p
34 OCTOBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk