|
 |
|
General Information
|
Add To My Personal Library |
February 15, 2008
• Vol.30 Issue 7
Page(s) 1 in print issue
|
Tips For Improving Users’ Security Awareness
Employee Education Is A Powerful & Cost-Effective Tool
|
As much as most IT managers wish otherwise, security remains a top concern of most departments. According to a recent survey commissioned by GFI (www.gfi.com) of senior executives and IT managers at more than 450 small to midsized enterprises, security and system downtime are their top daily concerns, with 71% of respondents mentioning both. It comes as no surprise that the overwhelming majority have already implemented the basics, with more than 80% using antivirus and antispam software and network firewalls. Despite having the technology in place, 42% do not consider their networks to be secure. What’s a poor CIO to do? Almost half spend more than 10% of their IT budget on security, leading many to question whether throwing more technology at the problem is an effective strategy.
GFI’s survey does offer some hope; it indicates increased end-user security awareness. Almost half of the managers surveyed agreed that “better awareness on security among employees would improve the level of security,” indicating that security training may be a more cost-effective solution. While another survey of user behavior by RSA has some harrowing statistics—8% reported losing a laptop or portable storage device containing corporate information—it’s a mistake to conclude users aren’t concerned with security.
If you’re convinced some employee training can leverage your IT security budget, keep the following expert tips in mind.
 Indoctrinate New Employees
David Kelleher, communications and research analyst at GFI, thinks new employees should be given a thorough review of a company’s security policy as part of their initial orientation. He believes “it’s quite clear people remain the weakest link in computer security,” yet they are often unaware of the risks and best practices for secure computing. He says the most effective way to ensure employees get this information and understand their responsibilities is by catching them on the way in as they join the firm.
Kelleher adds that the security orientation doesn't have to be an expensive formal course to be effective; for small companies, it may involve nothing more than having an IT manager sit down and share security policy and tips for an hour or two. He says these sessions should cover basic policy guidelines such as appropriate use of company PCs, personal software, and the Internet; rules on password selection; and any restrictions on the use of portable devices such as iPods or USB drives on the company’s network.
Regularly Communicate Security Issues
Most companies already have a documented security policy; however, as Kelleher notes, it’s usually a thick tome few employees ever read. He reminds IT managers that a basic principle of psychology is that people learn by repetition—“the more people read something, the easier it is to remember.” Thus, he suggests using regular email newsletters, say every week or two, to summarize a particular aspect of the company’s security policy or highlight recent security threats such as virus attacks or phishing schemes. Newsletters can be an easy and effective way of “evolving an employee’s knowledge,” he says, by giving employees information on how to identify and counter various threats. He also recommends reinforcing the message by using other communication paths, such as office bulletin boards, to catch people’s attention and raise security awareness.
Yet for the message to be received and understood, Kelleher says it’s important to avoid IT jargon. “IT people tend to talk too technically,” he says, so security bulletins to the general employee population need to be in language they can understand.
Market Security Importance To Managers
While all employees need a general awareness of security, Kelleher says IT leaders should make a special effort to convey the business import of computer security to upper management. IT should target management with training that is more specific, including information that underscores security’s relevance to the overall organization, with the goal of ensuring that security issues are factored into future business decisions. “[IT leaders] need to explain to management that there’s more to security than viruses and spam,” he adds.
Use Professional Trainers For In-Depth Training
Most formal security courses are designed for IT professionals; however, Mark Tucker, vice president of marketing at New Horizons (www.newhorizons.com), says his firm offers two classes specifically for end users. Tucker admits that technical security training for IT staff still gets the most attention from the company’s customers, but more companies realize that “security isn’t just confined to the IT department; it’s also about the 2,000 people who access the local Exchange server.” He says that structured courses provide a quick, effective, and convenient way of raising security awareness throughout an organization.
New Horizons, like its competitors in the IT training market, offers a number of training formats, including traditional classroom courses, online computer-based training, or a hybrid approach it calls mentored learning that pairs self-paced video lessons with a local instructor to address each student’s questions.
New Horizon's "Security Awareness Program," one of its more popular offerings, is designed for the everyday user of computers and networks. It provides security knowledge and skills in a nontechnical format and is intended for all PC users with a basic understanding of computers. “Security 5” is a more technical alternative designed as an entry-level certification that Tucker says is popular for help desk or customer service positions.
Get Outside Help
Most small businesses have more than enough work running their business without trying to cajole one of their staff into becoming the local security expert. For these companies, Vic Berger, security specialist with CDW, says that outsourced security consulting makes sense. Berger suggests contracting with a local security VAR who can conduct annual audits and quarterly update checks and even lead employee awareness training or seminars. He says that finding a local partner that can quickly respond to pressing issues is important, but he advises narrowing the search to a VAR that has a relationship with a larger IT services organization such as CDW or Insight.
Increasing the security awareness of employees is the best way to anneal the weakest link in computer security, yet it is a commitment that needn’t cost a lot of money. Experts agree that employees want to do the right thing, but too often they aren’t aware of what constitutes risky behavior. Taking some simple steps to communicate and enforce policy in a way the employees understand and internalize can go a long way to improving any SME’s security profile. 
by Kurt Marko
HEASIEST TO IMPLEMENT: Use Password Management Software
Getting users to create and update secure passwords is a challenge. Enforcing strong password policies on servers and domain logins isn’t a panacea because users often just write cryptic passwords down on a Post-it note. Password management software can greatly simplify users’ lives by obviating the need to remember passwords for each account. These programs will securely generate and store passwords in an encrypted database that is accessed by a single passphrase. The software makes it a snap to create random passwords of any length and can incorporate rules to use mixed case, numbers, and symbols. A popular free and open-source solution for Windows is Password Safe (passwordsafe
.sourceforge.net), while commercial solutions include RoboForm (www.roboform
.com) and Chapura’s TurboPasswords (www.chapura.com).
|
BEST TIP: Basic Enforcement Practices
Despite efforts to educate employees, sometimes people need a little incentive to do the right thing. GFI’s David Kelleher says it’s important for companies to have some enforcement and accountability measures in place. He feels that by ensuring employees understand that they are held personally responsible for the information on their systems, they will be more likely to adopt secure computing behavior. Vic Berger, security specialist with CDW, adds that technology can also augment policy enforcement. Password strength and aging rules should be configured on central sign-on systems (such as Active Directory), while the most vulnerable, roving systems, such as laptops and smartphones, should be protected with network access control software.
|
|
|
