This is the conclusion in a report, Security Awareness: Turning your People into Your First Line of Defence, by PricewaterhouseCoopers. It suggests that the response of organisations to improving protection and reducing risks has been further investment in technology. In essence, they have been solving what are seen as technical issues with technical solutions.
What is required, suggests the report, is a new approach in which an investment in understanding and influencing the behaviours of all those concerned is balanced against continued investment in technology.
Craig Lunnon, OneSecurity, PricewaterhouseCoopers, thinks this approach is misguided: "Technical solutions are too frequently being prescribed for people problems. Although technical defence is vital, systems are inherently vulnerable to both negligent and malicious acts by people. Ignorance, confusion, anger or even curiosity can all give rise to incidents."
PwC's 2010 Global State of Information Security Survey backs up the findings. It shows that only 48% of organisations questioned in the UK have an employee security awareness programme, falling behind the US (64%) and India and Australia (59%).
Efforts to improve security often create cumbersome processes that get in the way of people doing their jobs. Consequently, they can be tempted to bypass security controls, so the human element of technical solutions often diminishes the desired effect.
PwC recommends that better engagement between security teams and the business is needed as well as higher levels of engagement between organisations and employees.The solution is to invest in people. Make them the first line of defence - rather than the cause - of security incidents. Thus, the return on investment from a strategy that leads people to exhibit new behaviours around information security will exceed misdirected investment in technology-based solutions.
Lunnon stresses that the goal is to ensure that all those working for an organisation are alert to risks, will want to act to protect information and will be actively supported in doing so. He says: "As the first line of defence, security-aware employees are often best placed to identify a potential breach or weak link. Equally, they can prevent and reduce the impacts of incidents when they do occur."
