End User Education in the Real World
Published: March 20, 2013
Author: Harry Waldron, Enterprise Security MVP, CPCU, AAI
Organizations must create a trustworthy computing environment
Over a decade ago, Microsoft initiated an initiative for their company called Trustworthy Computing. At the time, it was a revolutionary concept that set out to fortify internal product security and improve associated human behavioral controls. Today, every company must employ a similar strategy to protect its information resources.
Security is a process of continuous improvement of technology and human controls. Conceptually, it is similar to the Total Quality Management approach Walter Deming introduced in Japan during the 1960s. Just as perfect quality cannot be achieved, a corporate security program is never finished. It is always a work in process, where professionals seek to do a better job each day to protect information, users, and customers.
Most companies employ adequate technology defenses. This includes: corporate firewall controls, anti-malware defenses, intrusion detection controls, patch management controls, and network vulnerability assessments. Many audit and industry standards mandate privacy and protection be employed in a standard manner. This includes Sarbanes-Oxley (SOX), Payment Card Industry (PCI) Data Security Standard, and Health Insurance Portability and Accountability Act (HIPPA) for example.
User security awareness presents a unique challenge
While technological defenses have standard templates or settings to follow, how do we encourage best practices in the user community? The human side can sometimes be the most challenging aspect. Many firms rely more on the technology side and avoid educating users in privacy or security controls, due to lack of resources or unsuccessful campaigns in the past.
However, there is some danger in ignoring the user side of security. Tablet and smartphone devices are more powerful than desktop systems from just a few years ago. The security role of the user is more important than ever. From a technical standpoint, a corporation can be locked down as tightly as Fort Knox, but the user can still expose valuable information through careless handling. The old axiom of “Loose lips sink ships” is a paramount concern in our highly connected business environments.
Creating an effective security awareness program for 2013 requirements
In the aforementioned audit standards, users must carefully follow protective standards to complement technology controls. The development of a security awareness program is more of an art than science. It must be adaptable to the organizational culture and specific business requirements. A successful program is built on the following foundation:
Corporate Policies and StandardsThe security policy must be a living breathing document that stays up-to-date with mobile computing, cloud-based applications, and other evolving technologies. These behavioral controls must be enforceable with management setting the example to stress importance. They must be easy to understand, practical, and promoted often.
Security Intranet websiteAn internal security awareness website is a valuable resource to communicate polices best practices, and safety tips throughout the organization. Many companies publish just their policies on the Intranet. Allowing the Security department to publish more in-depth content can be used to better educate the user community. Brief email bulletins with Intranet links can be published that promote key concepts, including step-by-step guidelines with screenshots.
Effective CommunicationsA “keep it simple” approach recognizes that users are hired for their business rather than technical expertise. The key concepts of avoidance, privacy, and information protection must still be taught. Multi-media can be used to capture instructor presentations or step-by-step guidelines with video support for example. There must be balance in the timeliness of communications, as too much frequency will lead to items being ignored.
Integration of Security Concepts into User ResponsibilitiesUsing security policies, management backing, and effective communications, all employees must recognize they are also the gatekeepers in protecting customer and company confidentiality. A focused integration of security concepts into daily routines can remind users of their protective roles. One example might be that developers should not have access to production data.
User Security IncentivesSecurity can sometimes be a dry and complex topic where users may tune out when attempting to gain their participation. Companies may want to purchase additional licenses of their antivirus software and provide copies for home protection. Also, intranet webpages that teach users home safety in avoiding scams, malware attacks, and information disclosure transcend to the workplace as well. Teaching users to keep their home systems up to date and to keep up with the latest versions of software will improve protection. A better protected home user is a better protected corporate user.
Executive Champion for Security CampaignAs security is a vital business requirement, it is important to gain executive backing of the awareness program. They can forward a critical awareness need or ensure participants can be freed up from work to attend a brief formal training event. Just as Bill Gates championed the Microsoft TWC campaign, key executives can help put this in the users’ best interest to encourage participation. This will let folks know it is important to participate in the process.
Formal Training SessionsBrief and highly focused sessions can be held to share key concepts directly with users. Examples of format training sessions might include: stronger passwords, mobile security concepts, avoidance techniques, and improving privacy controls to better protect information. Allowing security professionals to conduct an hour long session on quarterly basis gives them visibility and creates a contact point when future needs surface.
Creating a trustworthy computing environment takes years of focused and dedicated effort. Microsoft and other companies are continuing to build on this innovative strategy. Today, we see measureable benefits from this process of improving product security and emphasizing user education. Training and motivating people to safely process information are challenging in our flexible and highly connected environments. A well designed security awareness program is a key resource to accomplish this goal.