In the perception of warfare, there is a general fallacy among the uninitiated that superior hardware is the deciding factor. In other words, sophistication and numbers relating to hardware such as fighter aircraft, submarines, warships, artillery, tanks, missiles and bombs will surely bring the intruder down to his knees. However, the pages of history are replete with examples to the contrary. Regrettably, there is a similar misconception in the management of information assurance – one of neglecting the human element.
Owners and custodians of information assets invest in all forms of “weaponry” to keep the prowler out – anti-virus programs, firewalls, passwords, anti-intrusion applications and so forth. Then, when a compromise does take place, they believe that a one time upgrade of technical sophistication should set their minds at ease. The point that is often overlooked is the human element, primarily education and training, which are so crucial for winning the war – against the nation’s enemy or hackers with criminal and malicious intent. What then explains this flaw in thinking?
Senior managers in the corporate sector are always quick to claim that their people are their most valuable asset. However, in any organization burdened with custody of information, the root cause of a compromise can often be traced back to human error. There is an obvious contradiction here which begs an explanation.
Human resource is only as good as the education and training that it is exposed to; in the business of information assurance it means educating and training just about everybody from the CEO right down to the janitor. This is an expensive proposition especially in the fast moving lane of information technology and hence those controlling the purse strings are loath to periodically extend the budget. They would rather pay one time for that magic elixir program / hardware that would fix information assurance at 100% certainty. Alas, in the real world of hackers, social engineers and the like, companies have fallen victim to them and suffered financial ruin not to mention untold damage to brand name. Some hard facts and statistics will be appropriate here to back our point of view.
- “In 2005, over 100 significant data security breaches affecting nearly 56 million individuals were reported by businesses in the United States”, claims The Data Security Company, Utimaco.
- On 18 April 2006 Technews reports “Human error was responsible for nearly 60 percent of information security breaches experienced by organizations over the last year, according to the fourth annual CompTIA study on information security and the workforce”.
- CompTIA commissioned survey also tried to place a dollar value on security breaches and reported “The mean values were over $11,000 for the last security breach and just under $35,000 for breaches over the last year. Some organizations reported a financial impact above $50,000 for security breaches,…”
Those are the sobering facts; ignore them at your own peril and join the ranks of the statistics outlined above. On the other hand, make the following smart move:
- Re-examine and update your security policies and practices.
- Educate and train your people on their role in preventing security breaches.
- Draw up a program of periodic review and continuing education for your people – your most valuable asset.