Is your enterprise a security thicko?
Security training needs to be much more targeted if it is to be successful, argues Davey Winder.
Is there also a disconnect between who is getting trained and who needs training the most? In other words, is it more important to educate those at the top of the management tree or those on the shop floor?
I was talking to the head of security at a rather large corporate during the recent Information Security Journalism Awards lunch, and he happened to mention how the policy on dealing with the risk involved in the CEO visiting China with a company laptop was to mitigate it by simply destroy the laptop once he returned. This highlights the problem, albeit in a rather extreme fashion, of how the top echelon of executives in the enterprise can pose a threat courtesy of them bringing new devices or foreign gadgets, unchecked, into the workplace.
Just because it's a different threat to the shop floor workers, doesn't make one level of staff any more of a risk than the others though. When it comes to awareness and training, as Dimension Data's Jenkins says: "Every level of the organisation, from CEO to ground floor need to be educated. Each can pose a threat to the integrity of an organisation's IT infrastructure, even if they do not know it."
People (not positions) are always the weakest link when it comes to enterprise security, and as such everyone needs training equally. But equal does not mean the same in the context. Indeed, all staff need training, but some will require different training to others. To do otherwise and have a one-course-fits-all approach is non-productive. For example, executives who travel a lot need educating about the specific practical risks of accessing hotspots, carrying unencrypted data and so on, whereas those employees tasked with looking after the enterprise infrastructure would most benefit from technical training.
"As a rule of thumb," Fujitsu's Robinson reminds us, "all employees should have a good idea of what the company policy is, what to do in case of a security incident and who to contact in the first instance."
When considering the top of the tree versus the feet on the ground it's immediately clear that the sheer number of people on the shop floor present a much wider vulnerability spectrum for an organisation. "Especially considering it is often part of their job to be hospitable, supportive, and assistant to customers or random people seeking information," Outpost24's Jarteilus, says.
He adds: "If you consider that the majority of financially driven security breaches are opportunistic in nature, who would you target - the few in the top of the tree who are difficult to access, or the dozens/hundreds of Average Joes with access to the same networks?"
However, as Don Smith, director of technology at Dell SecureWorks points out: "If management aren't adequately trained, it's unlikely an organisation will make a significant investment in wider staff training."
Perhaps then, the initial focus needs to be top of the tree in order to allow those grazing beneath to reap the benefit later? The simple fact is that leadership is vital, no matter how 'aware' the shop floor is if staff see the executives flouting the rules then they are likely not to be motivated to follow them themselves.
"The key thing here is that awareness and education can't be done in isolation. Iit needs to be part of a broader cultural move which sees users as the first line of defence' almost," says KPMG's Bonner, who insists education and awareness is just one way of embedding the culture and reinforcing key messages. It needs to be linked to objectives, incentives and discipline to back it up as well as the role of leadership.
So, bearing all this in mind, how can the enterprise best implement a security awareness training strategy that will succeed? We turned to Dell SecureWorks's Smith for some tips as Dell has been helping a FTSE-100 organisation roll out a particularly effective training programme. The result? Cyber security has become what it calls 'part of the DNA of the organisation'.
Smith points to three keys in order to follow this route to success:
- Security training should be delivered in a face-to-face session, not using online learning tools;
- Honesty is the best policy. Organisations should be open and communicate impact of previous breaches;
- Provide tips and skills which will help to secure an employee's personal online life. Employees will be more attentive if the training course offers something they can take home with them.
Garry Sidaway, global security director at NTT Com Security, agrees that such training applies more than ever now with staff regularly working out of the office. Employees need to understand the consequences of their actions and companies need to make it clear what constitutes acceptable and unacceptable behaviour, he suggests.
"Organisations need to better engage with staff to define policies and procedures and understand how they work and operate," Sidaway says. "It is important that everyone understands they have a responsibility to behave in accordance with acceptable and expected behaviours when it comes to company information."
Meanwhile, David Emm, senior security researcher at Kaspersky Lab, feels that while there are external resources that can help companies design and implement their security awareness strategy, ultimately a company needs to internalise security. "One of the traps that companies can fall into is giving the job of security education to IT specialists," Emm warns.
He continues: "They understand technology and the potential security risks surrounding it. However, they're not always to best people to communicate it. When companies want to engage with the outside world, they make use of highly-trained sales and marketing professionals. Why not when communicating with their own staff?"
And it shouldn't end there. If security education is to be effective, it must have involvement from the company's HR and legal teams too. If an organisation has a security working group containing representatives from different areas of the company that meets periodically to review security strategy (and if not, why not?!) then it should make sure that security education is an integral part of their work.