| Security Lessons Learned Employee Training & Education Can Mitigate Threats |
 Security isn’t only about protecting your network from
external threats; it’s also about protecting against threats from within. The first step to security is
awareness; therefore, it’s important that all your employees know not only the potential threats but
also how to recognize and prevent such threats. Education and awareness empowers each employee with the
knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward
mitigating risk.  Policy Primer One of the first actions a company should take is to create a policy and procedure document that alerts employees of the rules of computer usage, especially regarding Internet and email limitations. Secondly, the organization should teach employees “best practices” when they’re using either Internet or email (for instance, not opening attachments from unknown senders and keeping passwords private). “Many Internet threats are easily avoidable and just executed by employees who are simply unaware of their presence. Once briefed on basic Internet security, it is equally important to keep your employees educated as well. When new threats arise, send out memos alerting each employee of the threat, how to identify it, and what to do if and when they have it,” says security expert and Guardian Digital CEO Dave Wreski. Thirdly, the organization should make sure all employee computers and laptops are equipped with the latest security tools. “It is also not a bad idea to alert them to the presence of these tools and teach them how to run scans, if they already do not know. This is especially true for mobile workers who may be running on an insecure Internet connection,” adds Wreski. Finally, make sure employees are aware of the internal risks, as well. Wreski contends that you should alert all staff to the importance of reporting unusual or potentially harmful activity amongst other employees. This can save the corporation thousands of dollars and days of headaches. Outsource Awareness Security awareness requires commitment to a continuous program of employee communications and should be planned as such. “Our NoticeBored service, for example, delivers a sequence of awareness modules covering a different information security topic every month so there is always something fresh to read,” says Dr. Gary Hinson, CEO of security-awareness firm IsecT. The awareness materials themselves need to be well-written, creative, and interesting to engage the audience, which raises another point: Who should be security-aware? “In my view, if you want to create a genuine security culture, everyone in the organization from top to bottom needs to be informed and motivated about information security. The NoticeBored materials address general employees, managers, and IT people separately because they have distinct information needs,” adds Hinson. Training & Rewards Many organizations believe that addressing technical issues alone is enough to manage their IT security. Unfortunately, this is simply not true; the weakest link in the IT security chain is the human element. “In this sense we need to enhance awareness in all professional organizations by helping them develop a better understanding of all computer and information security issues, such as spam, the dangers of accidentally downloading spyware, and phishing expeditions. A good awareness program should contain at least three basic elements: to inform, train, and continually educate employees,” says IT Professor Jeimy J. Cano at the Universidad de los Andes in Bogota, D.C. Colombia. Plus, these elements apply to everyone within the organization to demonstrate how they can help with security management. One social engineering tactic that recently has grown tremendously is the phishing attack, oftentimes via spam. Your organization’s email policy should address phishing by advising employees to be skeptical and to err on the side of caution. Unless recipients are 100% sure that a particular message is legitimate, they should assume that it is not. They should also never supply usernames, passwords, account numbers, or any other confidential information via email and never reply directly to questionable email. Do not permit downloading of unauthorized software or freeware, such as file-sharing programs or free games, as they can contain spyware. This sentiment is mirrored by Ken M. Shaurette, information security solutions manager at MPC Solutions, who says that “employees need to be alert to their own and others’ activities that might constitute an issue for information protection, like not opening attachments, unnecessary surfing, downloading files, [and] overall misuse of the resources they have been trusted with.” Cano believes that informing everyone helps communicate the importance of the policies and procedures and how IT security issues relate to their work environment. Likewise, training, after informing, requires that each worker test his or her own environment and validate that the policies and procedures are effective. Lastly, organizations need a program to establish the minimum level of education required by all employees, based on the sensitivity of information to which she or he has access. This program may require that certain employees achieve some certification-level IT knowledge in specific areas, such as access control, computer security principles, security technologies, and so on. In The End While monetary rewards are a motivating factor for employees, praise and discipline may go further in getting employees to follow policies and procedures. Edgar Danielyan, author of “Solaris 8 Security” and the “Information Security Qualifications Handbook,” says, “I have found that the carrot and stick approach works best, although it may sound quite cynical. Staff should be encouraged and rewarded for thinking about security, but they also should know that negligence would not be tolerated. It all comes down to whether lip service is being paid or the management really cares . . . In the U.S. I understand the Sarbanes-Oxley Act is imposing more rigid, encompassing control framework on everything including infosec; Europe also feels these requirements as a byproduct of the international reach of U.S. multinationals.”  by Douglas Schweitzer
|