BBC: Involve all staff in cyber security education

By Stuart Sumner
02 May 2014 View Comments
bbc-sign-web

Every member of staff in an organisation should learn about cyber security and their responsibilities, according to David Jones, head of information security at the BBC.

Speaking at security conference Infosec this week, Jones added that security incidents present a learning opportunity.

Further reading

"We see incidents as an opportunity to learn about our systems, process and people, and to improve all of those things. Whilst attacks can be damaging, at the same time we try to gain as much as we can from them," said Jones.

He used the example of the sustained campaign of phishing attacks the BBC suffered from the Syrian Electronic Army last year.

The BBC created an automated response which first involved blocking the domains from which the attacks originated, then ran a search-and-destroy programme to remove all examples of the attack from staff mailboxes.

"But this was not enough," Jones explained. "Users have iPhones and iPads. We had to get to them to tell them they're potentially going to be phished in a way we can't block."

This became part of an extensive education programme across the BBC.

"You have to involve everybody in education," he said. "After the phishing attack, we ran a campaign for all staff."

Jones added that the programme was so successful, his team was soon inundated with examples of suspicious emails sent by concerned staff.

"In the first three weeks we found several new types of malware which even the security companies said they hadn't seen before," he said.

The next step, said Jones, is to get the message out to stakeholders, explaining what security issues have arisen, and what has been done about it. He explained that very often senior management are not sufficiently aware of the importance of the work done by security professionals, and this can only be changed by informing them of what could have happened had the right steps not been taken.

"It's about education, and getting the message back out to the stakeholders," he said. "Explain what you've done. Even a little bit of trumpet-blowing is important. Report what could have happened, how close were you to something fairly catastrophic?"

He concluded that this amounts to one of the key aims of security incident response: to educate stakeholders, staff and partners, to reduce possibility of incidents happening again.

securing-talent-and-masthead-new

 

Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.

Reader comments
blog comments powered by Disqus
Newsletters
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

21 %
50 %
12 %
17 %