An article by Paul Rubens on the BBC website on Monday entitled “Why IT failures at big companies are unlikely to go away” obviously piqued our interest here at IT Governance, and a quotation from Damian Saunders of Citrix Systems particularly leapt out.
“I take a contentious view and say that IT outages are rarely to do with technology,” he said. “There’s normally a role that technology plays in the outage, but when I look at the root cause, by far the greatest cause is people and processes.”
There’s nothing contentious about his view as far as we’re concerned. The BBC article is about IT failures, but the same is true of cyber security: people and processes cause problems and few organisations seem prepared to address them. I’ve recently blogged a set of statistics about this very matter, but they bear reiterating: in the UK last year, 29% of security incidents were caused by a system glitch, 34% by malicious attack, and 37% by human error. The human element accounts for the majority of data leaks and security breaches, so why then is it most often overlooked by inadequate security systems?
We say it again and again: to secure your organisation properly you need an Information Security Management System which addresses people, processes and technology in a single, cohesive package. If you’ve got the technology in place but you don’t have proper processes and haven’t trained your staff properly then you’ve wasted your money. It’d be like buying an expensive safe in which to keep your sensitive documents, placing it in full view of a large window, daubing the combination in foot-high figures on the wall next to it so that your staff could have easy access without having to do anything taxing like remember the numbers, and then acting surprised when you got burgled and someone took all the information you held. You just wouldn’t do it, and if you did no one would sympathise. No one at all.
So how do you manage the “people and process” part of the security trinity? ISO27001 is the only tool which takes an integrated approach and covers the three major facets of cyber security, offering a security system which is strategic as well as operational, encompassing people, processes and IT systems. At IT Governance we provide a wide range of products and services relating to ISO27001. Take a look at what we’ve got on offer, or visit our cyber security information page for further guidance.