It's
something technology can't control. "The human being is the most
precious asset a company has, and the most dangerous thing" says founder
of an international security company in UK.
I
remember a funny incident that an executive manager in one of the
largest multinational financial company, while walking on the office
floor, noticed a couple of unlocked user PCs. He sent a broadcast email
from one PC which says, "Dear All, Today's Lunch is by me (By user X)!"
It's a happy message, but here goes the more panic one from another
PC... "Dear All, I am resigning from my job with immediate effect! (By
user Y)". Ethics behind such messages might be debated, but the moral of
the incident is that employees should not leave their desk with
unattended pieces of information either digital or in black and white as
well.
Employee
awareness on the "Importance of Information Security" need to be
addressed efficiently which could be a team effort by HR and Training,
IT, Security and Marketing departments.
Information Security Awareness Training - Current Flaws
The
main problems with how information security awareness techniques are
commonly implemented relate to "business culture" and "awareness
approach". It's a common assumption that if someone was aware of the
risk or threat, then their behavior would change. If you are aware about
the presence of attacking dogs, you would take care while walking along
those country side roads. The reality is that people may well be aware
of the risk but feel constrained by other factors, such as established
business culture.
Another
problem is that information security professionals don't realize
information security awareness is all about marketing. Mouse mats,
motivational posters, screen savers with messages copied from the
organization's security policy are quite easy to do, but in reality a
creative marketing approach should involve audience research, careful
targeting of communications, and measuring the outcome. People part of
security implementation always get unattended. The patient is dying of
the common cold due to poor nursing, and yet the doctors are
concentrating in health of hearts and brains. Yes, the fundamental risks
need to be prioritized.
The problem with managing employees is managing the motivation of the company itself.
Information Security Awareness Training - A Balanced Approach
No
software or anything in black and white can't stop the spilling of
company secrets through mouths of employee. The only solution is to
promote real Behavioral Change. It is like the carrot-and-stick model of
reward and punishment for behavior. You might push for information
security compliance by either punishing bad behavior or rewarding good.
The carrot is a better option. The logic is that rewards always
motivates! From my personal experience, I have two small kids, and if I
buy some chocolates or toys rather than getting a stick, the effect will
be healthy and rewarding as well. Same applies in information security
awareness training.
For
example, If you are planning to apply the complexity requirements for a
windows password, you could either punish or issue warning for those
who use simple passwords "name123". On the other hand, you could show
example of a strong password and give small rewards to the employees who
then follow those examples. What would be your choice?
What Users Need to Know?
Users
need to know about information security issues that affect their work,
their home, themselves and their families. They need to understand the
threats and risks as well as the methods they can personally use to
defend against these threats.
To illustrate the Human Element,
let's consider an example. You might have noticed stickers in hospitals
and other public places illustrating the ideal steps to wash hands...
Health authorities and other social services organizations took many
years to develop the so-called cultural acceptance of the practice of
washing one's hands to prevent infection, because there wasn't an
instantaneous negative consequence to not washing the hands. It's the
same with information security. When you click an anonymous email or a
picture of a fair lady, your computer doesn't immediately blow up; it
maybe gets a bit slow. Someone else's information gets stolen, and it
never comes back to hurt the individual person. Hope you got the logic!
Message to Information Security Professionals
Many
organizations are overlooking the security basics in favor of sexy new
cyber-attacks most people don't know about. They worry about cyber
attacks from China or Russia, but they haven't even fixed the basics
that have been broken for years since the conception of the business.
Hackers understands very well the "human nature" and its impact on
"employee behavior", that's why social engineering and phishing attempts
flourishes more than ever before.
Best Practices
(1) Communicate to users how important is it to them personally: People
are more receptive to information that affects them personally.
Training should be focused on safe usage not only at workplace, but how
it can be used at home as well.
(2) Communicate with real world examples:
Keep everyone's attention by citing examples which audience can
identify and realize the impacts. Use any recent public information
(internal or external for which consequences could be understood)
(3) Communicate the importance of End User Security Awareness Efforts: Vulnerabilities
are not only exploited from the outside, but also can be exploited from
internally as well. Approach security awareness with seriousness and
give the users tools to help with security efforts.
"We're
coming around to needing a balance between technological
countermeasures and change in behavior countermeasures" says Williamson
in (ISC)2, USA. Organizations must decide which user behavior they most
care about and focus their efforts to control that risk.
Security
professionals also should examine attitudes and beliefs in their
organization, and take a positive approach with a right balance of
technology and human element in order to ensure a secure computing
environment for the business.
Posts
No comments:
Post a Comment