Much of the talk at a recent Gartner event was about People-Focused Security. That is the shift away from seeing systems as a complete solution to security and trusting users to be part of the solution. Now this doesn’t for one minute mean that solutions don’t have their place in the security landscape, they are a necessary part of a strategic approach to security, however more organisations are becoming aware of the need to involve their users to be part of their security solution.
Why is the shift happening? It only takes one simple human error to decimate a successful business. This error is not likely to have been a malicious act, and the statistics support the fact that the vast majority of data breaches are a result of human error (95% of all security incidents involve human error according to IBM), for example accidentally sending a confidential list of customers to a competitor. I once saw someone fired on the spot for doing just that (in those days it was fax not email).
I stumbled across an excellent cartoon this week produced by the well-recognised J Klosser which summarised this dichotomy extremely well. An organisation could spend millions on advanced network, firewall and other security tools to prevent security breaches happening, however, it is the negligent insider that is actually the greatest threat of all. But it is the one threat that most companies forget to account for.
If I were a betting man, the human in the cartoon is odds on favourite to win that battle. The way organisations run their security today, all their money would be on the security tools and devices to succeed. Perhaps it’s time organisations put their money on their users and not solely on IT.