Don’t Forget Your People

03 September 2015

Amethyst's Mark Chown discusses why a security-aware workforce is just as important as new technology


This year I again took a tentative step into the Infosec trade exhibition where I was greeted with the usual surge of over 300 exhibitors hungry to promote their latest cutting edge security solutions.

I always leave Infosec with the feeling that as security practitioners we can easily get distracted by the lure of the latest security technology trends, but risk neglecting more traditional approaches.  Now don’t get me wrong, we will need to implement strong technical controls to manage the new risks associated with the transition to an IT ‘service’ environment that will see the large scale migration of data from internal infrastructure to the cloud. I recall the Head of Information Security for a top financial institution explaining how, through the use of data analytics, his audit and monitoring solution was able to predict when an employee was about to resign, allowing proactive measures to be put in place.  As a security industry we should embrace new technology and its beneficial capabilities, but not at the cost of other equally important approaches that can offer a better return on investment and easier paths to implementation.

Having undertaken multiple investigations into breaches of security, Amethyst consultants have learned how important the people factor is.  The latest Government Information Security Breaches Survey[1] also suggests that people are more likely to cause a breach than malware and twice as many incidents are caused by internal staff than organised criminality. Most interestingly, over half of the most serious incidents experienced by companies are caused by the actions of internal staff or those in the supply chain.

A strong security culture that has developed a well-motivated and security aware workforce can provide a formidable and very cost effective defence.  In my experience the vast majority of the workforce want to do the right thing - it is simply that sometimes they may not know what the right thing is or they might act irrationally while under pressure.  There will inevitably always remain those that have malicious intent which maintains the need for relevant monitoring capabilities.

What does a good people security framework look like?

The maintenance of an effective people security framework should not be limited to the security team, it requires engagement from all areas of the business.

Promote a Security Culture

  • Culture and attitude should be driven from the very top of the organisation and be considered as part of the corporate values and strategic direction

  • Constantly emphasise its importance and ensure security is considered in all business decisions.

Manage Employees

  • Pre-employment background and vetting checks should be appropriate to the role and reviewed regularly where the role requires it

  • Employees are to understand and agree to the Terms and conditions of their employment

  • Reward good security practice and encourage new ideas

  • The organisation should not shy away from taking disciplinary action for breaches of security

  • Managers should be responsible for identifying occasions where employees may present an increased risk to the organisation, such as financial or other social problems.

Implement User Centric Security Solutions

  • Ensure that security solutions are designed with the user in mind so that they are easy to use, that it is clear what the right thing to do is and equally what the wrong course of action is

  • When designing security solutions, start from a position that assumes that your workforce want to do the right thing but cater for those that may not

  • Avoid excessive security. If the secure way of doing something is the hardest then users will drift towards less painful and potentially less secure methods

  • Your risk profile will dictate where your organisation and user roles sit on the ‘User Trust v Enforcement’ scale and should be based on sound risk assessment.

Create Security Awareness

  • Mandatory annual security awareness training may meet compliance requirements but can have a limited impact particularly if bundled with other compliance training packages

  • Use a variety of methods and approaches providing options to deliver the message

  • Consider relating security issues to a user’s home environment, you will get more interest

  • Keep it real and specific to a user’s role

  • Regularly refresh material

  • Extend awareness requirements to your supply chain so they understand the risks you face and the expectation that you have on them as a supplier.


When bad things do happen you need to be able to (1) detect it and (2) establish what has happened.

  • Basic logging and monitoring capabilities should be in place

  • Solutions leaning more towards the User Trust model may require enhanced monitoring

  • Don’t rely simply on IT application and system logs – a good monitoring programme should include for example proactive reviews of access permissions and training

  • Ensure logs are secured.

If you would like to discuss how Amethyst might help you develop your people security programme, please email us at


[1] 2015 Information Security Breaches Survey

Contact us for more information

<< Back to Latest News items