Every member of staff in an organisation should learn about cyber security and their responsibilities, according to David Jones, head of information security at the BBC.
Speaking at security conference Infosec this week, Jones added that security incidents present a learning opportunity.
“We see incidents as an opportunity to learn about our systems, process and people, and to improve all of those things. Whilst attacks can be damaging, at the same time we try to gain as much as we can from them,” said Jones.
The BBC created an automated response which first involved blocking the domains from which the attacks originated, then ran a search-and-destroy programme to remove all examples of the attack from staff mailboxes.
“But this was not enough,” Jones explained. “Users have iPhones and iPads. We had to get to them to tell them they’re potentially going to be phished in a way we can’t block.”
This became part of an extensive education programme across the BBC.
“You have to involve everybody in education,” he said. “After the phishing attack, we ran a campaign for all staff.”
Jones added that the programme was so successful, his team was soon inundated with examples of suspicious emails sent by concerned staff.
“In the first three weeks we found several new types of malware which even the security companies said they hadn’t seen before,” he said.
The next step, said Jones, is to get the message out to stakeholders, explaining what security issues have arisen, and what has been done about it. He explained that very often senior management are not sufficiently aware of the importance of the work done by security professionals, and this can only be changed by informing them of what could have happened had the right steps not been taken.
“It’s about education, and getting the message back out to the stakeholders,” he said. “Explain what you’ve done. Even a little bit of trumpet-blowing is important. Report what could have happened, how close were you to something fairly catastrophic?”
He concluded that this amounts to one of the key aims of security incident response: to educate stakeholders, staff and partners, to reduce possibility of incidents happening again.