Inform feature
Female students chatting in a computer lab
Creative Commons attribution information
©izusek via iStock
All rights reserved

‘Our users are our best defence’

From surviving the internet to how Hollywood gets it right (and wrong), Garry Scobie, University of Edinburgh deputy chief information security officer (CISO), is taking a creative approach to educating staff and students about information security. He describes how he’s turning the need for security awareness into a tool to help change the organisation’s security culture.

“We can spend a fortune on technical controls or write all the policies and procedures you can think of but it takes just one person to be phished to compromise the network,”

says Garry Scobie, deputy CISO at the University of Edinburgh. This year he has embarked on a major campaign to raise users’ security awareness across his university’s many departments, schools and campuses: no small task.

“We're a large university, among the top in the world for research, and we’re a major employer. It makes us an attractive target for hacking and other attacks.

We’re potentially subject to data theft of staff and students’ personal information for financial gain, because we've got student fees and large employer contracts with third parties.

And there’s the potential for espionage. We hold valuable intellectual property: you name it and it's probably being researched here. We’re a prime target.”

And the biggest security threat?

“It isn’t DDoS. We use Jisc's mitigation for that, which has proved worthwhile in protecting our organisation. It’s phishing. And ransomware. And, most importantly, the lack of awareness they exploit. It’s that lack of awareness that is the biggest threat.”

Which is why Garry has set out on a major programme of education in security awareness.

Getting the message out

“The first question is how do we educate people in the sort of environment we have here within the university: very open, very collaborative, very complex?

People are overloaded with the sheer volume of data and messages they receive daily, and my message about being security aware is just one more thing they have to process.

So how do I get our message through, how do I make it stand out among everything else? Then how do we change the culture? How do we embed security awareness so it becomes a norm for the organisation?”

The current infosec approach started with an assessment of the security culture it sought to influence.

“We got a third party in to hold focus groups across the schools and business units, looking at eight themes: empowerment, awareness, values, behaviours, adherence, accountability, responsibility and cultural norms.

It was right across the board, with participants from all the schools and business units, plus students, so it was well attended. And it was really very useful.”

The exercise provided a great deal of feedback about the current state of the university’s attitudes towards security and supported the direction Garry was taking.

“We have established a security working group with cross-school representation and business unit representation. And this representation is helping to push things forward.

We intend to trial a security champions network and plans for this are now taking shape.”

Empowering people

It is intended that security champions will receive training and then be in a position to help push awareness and understanding about information security, backed up with the support of the infosec team.

“One of the biggest things that came out of the focus group work was that people wanted to feel more empowered regarding security and be able to do the right thing. So our focus has become ‘our users are our best defence’ and we foster an environment that encourages people to speak up and point out, and challenge.

We've got a no-blame culture. If people make mistakes or see security issues or breaches, we want them to be upfront and tell us, and then we work on how we're going to fix it.”

But how does Garry communicate his messages across the university? The infosec team get out of the office and talk to people.

“We do a great many presentations and talks. We’ve been doing this for about 18 months, going round, turning up, speaking and engaging with many different people across the organisation.”

Medieval castles and Victorian fan language

The number of requests for talks is increasing as people become more security aware (“it's great that people are starting to take on board what we're saying, invite us in, and we're starting to create a buzz”), and they are also proactive in adding security presentations to existing events, with a penchant for devising creative talks: “basically we're looking to make it fun.

“At the university’s week-long Festival of Creative Learning, where classes stop and students have the opportunity to do something different and creative, last year my colleague David taught information security based on a theme of medieval castles. That was different and a great thing to do.

This year we included content about Victorian fan language as part of a talk on the history of pre-digital encryption. It was a hugely popular talking point.

It was a different tone and that got people looking at how we secure messages, the need to encrypt, and how you encrypt, and why it came about. We approached what was seen as a dull topic in a fun, interactive way and that gets you noticed. We also had one of our team present a Shakespearian sonnet on data protection legislation to the event organisers at the Festival of Creative Learning. It broke the ice and built engagement with that group.

You've got to be enthusiastic. If people think you're jaded with information security, it's going to come over in what you're saying and how you're approaching it. You need to make it interesting and entertaining, while being accessible and practical.”

Where Hollywood gets it right and wrong

The pair also team up with existing training programmes. For the last year, the university’s digital skills programme, originally conceived to teach skills around PowerPoint, Word, Excel and similar, has included information security as a digital skill. And this year the university’s fraud awareness week, aimed at finance staff, will include information security.

“We also have a security awareness week: a whole week focusing on information security. This year, I'm doing ‘Cybercrime in Hollywood’ as the keynote.

I'm asking, what is cybercrime, what is hacking, and then looking at how cybercrime is portrayed in the movies, showing where Hollywood has done it badly and also where they're starting to do it well. And then I'm finishing the talk off by showing what the reality of cybercrime is.

It also creates an opportunity to tackle the image of what we do. It's not about people with hoodies and dark glasses sitting in basements, it’s not all dark, shadowy and complex. We need to get away from that. We need to be approachable, we need to de-mystify in order to get people on board.”

Garry and David also do sessions on surviving fraud and social engineering, why information security is important, practical encryption and ransomware.

“Additionally, the University provides a MOOC (massive open online course). It's a three-week online course that helps you develop your digital footprint, your online presence, and looks at the need for managing your privacy and balancing that with doing professional networking.”

Engagement is key

The infosec team provides question sets for projects looking to procure services to ensure “all the right security questions are being asked at the start of a procurement and not at the end”, and a range of guides, including “top tip” flyers. And to ensure they’re engaging well with students, they make the most of their student interns.

“We ask them what they think, how's that coming over? If you're not engaging the next generation then you’re storing up trouble for the future.”

Engagement, and not just with students, is one of the keys to making the programme work – particularly through partnerships within the university. This will be crucial to the success of the security champions initiative and to encourage people to complete the on-line training and also attend face-to-face sessions. But it isn’t always plain sailing.

You need to get buy-in from the top and this is critical to success. Sometimes this has been achieved by staff attending my talks, then they tell the senior team and then the senior team invite me in. So, it’s not just about a top-down approach. Spreading the word and involving everyone is key here.”

As a result of so much activity, awareness is demonstrably increasing.

“A couple of years ago, security wasn't thought about much and, if considered, it was often at the end of a project. We're seeing a big shift now, right upfront, right at the start. It's great. But we need to ramp it up.

If we suddenly go, ‘Oh we're making a difference, we can ease off now,’ then we'll lose the momentum. We've got to keep pushing on and look for new ways to do things.

The attackers are going to keep changing tactics, and so we have to keep responding to different kinds of threats. That's really important.”

Garry on spears and whaling

Gary Scobie

Targeting academics

We’ve had spear phishers target our academics in a clever way. After signing up for a legitimate-looking conference, they receive a reply saying there's been a problem with the registration process, with an attachment included. The attachment is genuine: no malware is involved in the scam. Instead, it’s a form where they’re asked to fill in their personal details to get discounts on local hotels. The answer is to check elsewhere for the validity of the conference, rather than assuming that plausible conference links are genuine.

Finance 

Spear phishing commonly targets key, relevant personnel for urgent payments. Mandate frauds, fake websites, payments to fake supplier bank accounts, spoof invoicing: they’re all regular. We have internal controls in finance to block these and people are constantly on their guard, as such attacks are attempted on a regular basis.

We have heard of students giving money to fake money advisors, lottery scams and accommodation scams, especially at the start of the year and especially for overseas students who can be taken in by the promise of "cheap accommodation".

We see certain compromises, such as bitcoin miners being installed. There was a tendency for people to think that’s fine: “It’s just a bitcoin miner." But bitcoin miners installed in an organisation will search for vulnerable servers and systems on the network and launch attacks against those. Failure to patch impacts on everybody within your organisation and not just the person who has missed a patch.

Freedom of information requests

Freedom of information can offer an attack potential. We have a legal requirement to respond to cyber issues and questions, but we have to be very careful about what we say and how we say it because you could be leaving yourself open to further attack as a result of information you give out.

Tip: check your online profile

When academics are personally targeted in whaling attacks, we get calls saying, "How did they know all this personal information about me?" But if we look at their academic online profile, we'll find it's full of useful data. Their biography is there, their teaching, their PhD supervision, what research, what projects, who they've been working with, what they've published.

Clearly, we can't expect people to hide away, but they have to be aware that the phishing attempts on them are based on data and information they themselves put out. People need to keep that in mind and be vigilant during all correspondence.