DATA CAN LEAVE your organization in many ways—through files stored in lost equipment, files sent to unauthorized recipients, or systems and applications accessed in an unauthorized or unofficial fashion. While implementing and maintaining security policies and technologies are critical means of reducing this risk, companies should not overlook the importance of security awareness training.
To be effective, a security awareness program must go beyond the basics. Many information security awareness programs consist of little more than having users sign a policy document and click on a log-on banner. The company may also display posters throughout the premises. Some organizations sponsor security awareness briefings on a periodic basis.
Each of these components is important in a robust awareness program. However, these methods alone are inadequate. For example, users and visitors rarely read the policy and logon banner. They are told to sign at the bottom of the page or click through the banner to start their computer, but there are no safeguards or enforcement efforts to verify that the policy has been read and understood.
Similarly, posters are often placed only in common areas, such as in the lobby and cafeteria, for example. Visitors have a good shot at being exposed to the messaging in the lobby, but for employees, common areas fall short. Many don’t eat in the cafeteria, and they may rarely enter or exit via the lobby.
A solution to this problem is to add more robust and diverse awareness training to the security arsenal. A security awareness program should be tailored to specific types of employees. It should include new methods of teaching, provide incentives, and include ways to measure effectiveness.
Tailored to Employees
The entire work force should be required to go through awareness training. However, requiring executives, shift workers, telecommuting workers, and road warriors to all attend a specific meeting on a specific day may not be realistic. Before launching a new program or updating an existing one, managers should discuss the various categories of workers and their potential schedule conflicts and perspectives.
To show support for the program, all managers should attend the same initial class as their staff. It is also important that a master attendance roster be maintained to ensure that all employees have been through the briefings.
When considering how to train employees, language differences should be considered. If there are any employees who need translation services to more fully comprehend the material, the company should make that investment.
Because not all users are created equal, it is helpful to break the awareness training into categories based on the type of user. The program developer should think through the various positions within the organization and related job functions. All users should receive the same basic awareness training, but the following examples illustrate how additional training might differ depending on the user.
Special access. Some users have greater levels of access to sensitive or private information. These employees might work in legal, human resources, and research and development departments. If an organization has a well-defined information classification scheme, awareness activities can be developed to closely match each level of sensitivity. If not, the first step would be to identify the various types of data, their respective sensitivity, and who has access before deciding which workers get this type of training.
Nontraditional. Even though housekeeping and maintenance employees probably do not use IT systems for their day-to-day functions—and, therefore, don’t have access to electronic documents—they can be exposed to paper documents on fax machines, copiers, and desks, and they have access to computers in offices. These employees should, therefore, not be excluded from document security training.
Their training should specifically address their responsibilities and penalties for noncompliance. Since they are moving around all areas of the facilities, they should be told what to watch for as indications that others are mishandling documents as well as what to do if they see sensitive information lying around where it should not be, such as on the sidewalk or the parking lot.
Visitors. Security awareness training should address how staff can ensure that visitors won’t have access to information they should not see. Another concern is that they not be able to accidentally corrupt data by, for example, linking an infected laptop to the corporate network. In most cases, the company can’t require visitors to attend a briefing, but it can require visitors to read and sign a policy statement that outlines expectations while they are on the site.
IT. The group that needs the most security awareness training is the IT staff, which has the greatest access to systems housing electronic documents and is responsible for configuring, maintaining, and troubleshooting those systems. IT staff must be made aware of which information is sensitive and needs the highest levels of protection.
The IT staff must also understand its role in securing information systems and the penalties for abusing access privileges. Working with security, IT should also understand the importance of staying up-to-date on the latest threats, known vulnerabilities, and response procedures.
Security. The head of security should not overlook the need to include his or her own security staff in awareness training. Just because they are responsible for implementing security doesn’t mean they know all the details of the data protection program, including which documents and systems are most sensitive. Their training should include what they should look for in terms of suspicious activity, incident response, or noncompliance as they carry out other security duties, such as patrols.
Posters, briefings, and written policies are traditional means of educating and reinforcing security programs. However, managers should consider additional, out-of-the-box approaches such as paper messages, remote notices, and data-sharing programs.
Paper messages. When launching a new policy or when attempting to revitalize an existing policy that has been ignored, managers should take every opportunity to promote that policy. For example, managers could author an article in the corporate newsletter; place small tent cards on cafeteria tables similar to the way restaurants advertise; and post notices on bulletin boards, in conference rooms, next to elevators, and in other public areas.
Remote communications. Managers should get creative with the method of delivering program messages for employees who are constantly on the road or out of the office. It is not cost-efficient to require them to attend a periodic one-to-two hour meeting. This is where the Internet or intranet can come in handy.
Internet-based meeting software can allow the organization to schedule conferences that may fit into almost everyone’s schedule. If such software is not available, managers can record the meeting and post it to the corporate intranet for individual retrieval. If these options are cost-prohibitive, managers can burn the audio presentation onto a CD or DVD and send it to remote offices where the office manager can schedule employee training accordingly.
Data sharing. Information gleaned from content filtering for Web or e-mail traffic can be used to illustrate data-security rules. For example, managers could publish a report on the number of viruses stopped in e-mail through the correct use of virus-blocking software.
One large financial organization ran a report every month listing the top 10 Web sites frequented by employees. Any information that could identify the user, such as IP address or username, for example, was sanitized, and the list was posted in all common areas.
The first month, adult entertainment and gambling sites topped the list, but once tracking results were posted, it did not take long before they were replaced by business and more acceptable personal Web sites. Posting such information increases security’s visibility and helps demystify the function and value of the security team.
One way to get employees to maintain solid security practices is to spell out the penalties that employees will incur for violations. That disclosure is also legally advisable. But this “stick” approach should not be the primary motivator.
Managers should also use “carrots” for a more positive means of motivation. These could include recognition rewards, such as free coffee, kudos in the corporate newsletter, or even cash rewards for exemplary security awareness behavior. Of course, rewards should be commensurate with the security activity being recognized. Shredding a document with questionable content found in a trashcan isn’t the same as reporting a violation that could result in privacy violations or financial loss.
Updating and expanding a security awareness program will cost money. It is imperative to provide management with a detailed account of expenses and expected returns on an awareness program. Return on investment is tricky to demonstrate, of course. Besides the obvious citing of avoided security breach costs, managers should try to create a list of metrics that demonstrate the value of a specific program.
When developing metrics, security managers must work with other departments and design the program carefully to ensure that they are measuring the right information. For example, a company might devise an awareness program to emphasize the detection and reporting of hacking attempts. However, even if those attacks are reduced, the company has no way of knowing whether the drop was due to the awareness program or to tighter IT controls.
In contrast, one organization set a goal of reducing the number of work hours lost due to computer viruses. The company first implemented technological changes including new software programs. These changes helped, but after a year, the numbers leveled off. The security manager then worked with IT to implement a security awareness program to inform users about viruses, issue bulletins after outbreaks, and disseminate other security information. After a year, time spent on virus attacks went from 6,000 hours annually to 2,000 hours. Security could clearly attribute this improvement to the awareness program.
While security systems are important, when it comes to protecting information, companies must not underestimate the human factor. Security awareness programs ensure that personnel actions won’t undermine other aspects of data protection.
Lee Kelly is a senior security engineer for Patriot Technologies in Frederick, Maryland.