When it comes to information security, your biggest vulnerability is not necessarily your computers. It’s your users. Every day, employees make glaring errors such as posting their passwords where others can see them, downloading and opening e-mail attachments that contain viruses, and failing to shut down their computers at night. Human error, not system weaknesses, is the leading cause of serious security violations, according to the “Committing to Security Benchmark Study” sponsored by the Computing Technology Industry Association (CompTIA).
Because human actions greatly affect computer security, you must educate your employees, IT staff, and management to make security a priority and develop good security habits. If you don’t feel confident supplying that information, hire an outside consultant. Organizations such as the SANS (SysAdmin, Audit, Network, Security) Institute, the Computer Security Institute, and the MIS Training Institute specialize in such training and can help companies worldwide.
General User Training: Focus on Compliance
“One of the crucial things about awareness is tailoring your message to specific audiences,” says John O’Leary, director of education at the Computer Security Institute, which offers computer security training, peer groups, and conferences. “You can’t talk to upper management the way you talk to the technical group.”
The general user population, for example, does not need to know how the network firewall works. “You need to tell the end user what they have to do to get their jobs done,” says O’Leary, who has worked in computer security for 30 years. “How does this affect my ability to process claims transactions? How does this affect my ability to run a manufacturing line?”
People need reasons, both positive and negative, for changing their behavior, O’Leary says. In security, that means explaining how good security habits benefit the employee and company, and how bad habits hurt them. Benefits may include networks that run smoothly and that let workers perform their jobs better. This in turn improves overall company productivity. “Security is just good management, and better management improves every aspect of a workplace,” he says.
As for negative consequences, O’Leary suggests using real examples. For instance, when your computer has a virus, you can’t use it, and therefore you can’t accomplish important tasks. Also explain to employees that individual security breaches have company-wide effects. Some negative effects may include bad customer service and possible lawsuits. “Lawyers now are starting to salivate over the possibilities of what’s known as ‘downstream liability.’ If you didn’t apply a patch, and someone went through \[your computer network\] to attack someone else, \[your company\] might get sued,” he says.
When educating employees, give positive reinforcement rather than scolding them. O’Leary says that constant negative feedback will not inspire your employees to perform as you want them to.
Emphasize that computer security means having good daily habits. The “Common Sense Guide for Senior Managers” from the Internet Security Alliance recommends that before you issue an employee a password, you make sure that the employee understands some important security topics. These topics include protecting passwords, using the Internet safely, avoiding online security and privacy scams, and following the privacy policies of the company.
To effectively teach employees, John Venator, the CEO of CompTIA, recommends making security training a key part of new employee orientation. O’Leary also suggests sending a trainer to the workstations of current employees to teach them about security practices. In addition, he recommends that you provide current employees with written documentation that they can use to answer their security questions.
IT Staff Training: Focus on Standards
When talking to IT staff about security, choose an IT employee or consultant to help with the training. The IT person that you choose should be someone who can answer all technical questions that your IT staff may have. “You don’t want to make a technical error in front of techies because you lose credibility instantly,” O’Leary says.
The IT department should make sure that its approach to educating IT staff about security issues and technologies complies with the industry standards and guidelines established by leading security organizations in their region. For example, in the United States, companies might turn to the Computer Security Division of the National Institute of Standards and Technology or the CERT Coordination Center of Carnegie Mellon University. Many companies make formal security certification—not just training—a requirement of employment for IT staff, whether they get their certification with CompTIA, Microsoft, or any other certifying organization, Venator says.
Even before training, however, IT staff can immediately improve security by installing a firewall or frequently checking antivirus and security patch updates, says Randall Palm, the director of IT at CompTIA. This is especially important for remote network users. Also, make sure that you understand what built-in security features your software products contain, and ask your vendor how to best use those features, Venator suggests.
Management Training: Focus on Leadership
Upper management plays a crucial role in information security by setting priorities and convincing staff across the organization to follow security guidelines. To gain management support, O’Leary suggests stressing the business urgency of adopting uniform security procedures. “We talk about dollars, but we also talk about the mission of the organization and the possibility of embarrassment for the firm resulting from a security breach,” he says.
Beyond the standard employee training, upper management needs special instruction on how to protect sensitive company data such as customer files. For instance, executives traveling with laptops should learn how to use encryption software, O’Leary says.
Security Training on a Budget
To keep costs down, use in-house resources, suggests O’Leary. “\[The training department\] might be able to put together a 10-minute movie,” he says. Or someone from the IT staff could volunteer to give presentations at department meetings. “Give them 10 minutes to speak on the use of encryption or some sort of security-related topic.” To stay aware of current computer security threats in your industry and region, make sure your IT staff participates in user groups on information security on a regular basis.
Making Security Stick
To stay safe, companies must make IT security an ongoing, daily habit. After training your staff in better security practices, measure whether the desired changes in behavior have indeed occurred, says O’Leary. Are people creating better passwords? Are traveling executives using encryption? Are there fewer serious incidents of preventable damage from malicious code?
The “Common Sense Guide for Senior Managers” advises companies to “create, enforce, and regularly review security policy.” The guide recommends that you use system and network monitoring tools together with reporting and analysis procedures to do so.
Standard communication channels throughout the company also can help you make sure that good security habits stick. E-mail reminders, posters, incident alerts, and even quarterly security publications are some of the methods you can use, O’Leary says. “An IT security intranet Web site can also be a valuable awareness tool. Contests with prizes, puzzles, and games can draw people to the site,” he adds.
Finally, everyone must realize that information security is an essential part of modern business. Network security threats are real, and they can devastate your company's ability to serve customers. Palm explains: “The biggest mistake is to feel safe enough and relax your daily improvement of your security model.”