Nothing circumvents pricey defense-in-depth faster than people; educating workers about security is essential.
It's one of the hardest jobs a security officer has: teaching users about security. How do you grab an employee's attention during a busy workday? How do you get them to remember, let alone listen, about the need to create strong passwords and to be cautious when opening email attachments?
To deal with this dilemma, Lynne Pizzini pulls out her bag of tricks--literally. In training presentations at Blue Cross and Blue Shield of Montana, she incorporates magic. One of her tricks uses colored scarves to illustrate the importance of strong passwords and the different elements that go into them; the result is a single, multi-colored scarf.
Another trick aims to get employees to understand that they, with all their access to data, pose the greatest security risk. Pizzini displays cards that illustrate seven security risks discussed in the presentation and shuffles them face down, however many times a participant indicates. Then Pizzini spells out "right" by flipping one card for each letter of the word (indicating that employees always want to do what's right); the "employees" card always appears as the letter "t" is reached.
Pizzini, security and privacy official at Blue Cross, says she found magic effective when she first used it a couple of years ago in a series of presentations to the health insurer's 700 employees. Afterward, employees told her they remembered her trick. "It was awesome for me to discover that it actually works," she says.
Pizzini's method may be unique, but organizations are using everything from online tutorials, newsletters, MP3s and prizes to get the security message across to their rank and file, all in an effort to protect themselves from the perennial weakest link: people. While companies spend tens of thousands of dollars on security technologies such as firewalls and access controls, their employees can undercut those defense mechanisms by sharing passwords, falling for social engineering scams, or just not being aware of corporate security policies (see "10 Best Practices," below).
10 BEST PRACTICES
The University of California, Santa Cruz uses this list as a key part of its information security awareness training program.
- Use cryptic passwords that can't be easily guessed--and protect your passwords.
- Be cautious when using the Internet.
- Practice safe emailing.
- Secure your area before leaving it unattended.
- Secure your laptop computer at all times; keep it with you or lock it securely before you step away.
- Shut down, lock, log off of or put your computer to sleep before leaving it unattended, and make sure it requires a password to start up or wake up.
- Make sure your computer is protected with antivirus and all security patches and updates, and that you know what you need to do, if anything, to keep them current.
- Don't keep sensitive information or your only copy of critical data, projects, files, etc., on portable devices (such as laptop computers, CDs/floppy disks, memory sticks, PDAs and data phones) unless they are properly protected.
- Don't install unknown or unsolicited programs on your computer.
- Make backup copies of files or data you are not willing to lose--and store the copies very securely.
The detailed list is available at http://its.ucsc.edu/security_awareness/top10.php.
In Deloitte Touche Tohmatsu's 2007 Global Secu-rity Survey, close to 80 percent of financial services respondents cited the human factor as the root cause for information security failures. Despite the threat, nearly a quarter of those surveyed hadn't provided any security awareness training in the past year.
Many organizations focus their training efforts on IT workers rather than their non-technical users, relegating security to a technical problem, says Rob Cheyne, CEO of training firm Safelight Security Advisors. But regulatory requirements and a slew of data breaches are leading more businesses to expand their focus. "We're starting to see a mental migration," says Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification (see "Keys to Success," below).
In fact, with corporate emphasis on governance, risk management and compliance, awareness training is more important than ever, says Howard Schmidt, former White House cybersecurity adviser and (ISC)2 security strategist. "The weak link, as we've seen time and again, is the employee/end user," he says.
Compliance aside, training non-technical employees is simply an essential part of an information security program for many security professionals.
"Training by itself doesn't solve all your security issues, of course, but just raising the awareness of any of your employees will add to the level of security you have as a company," says John Penrod, CISO at The Weather Channel.
MAGIC AND MORE
At Blue Cross Montana, Pizzini's security awareness efforts include not only her magic-laced presentations but also online training, annual awareness events, posters, calendars and security tips posted on the company's intranet. She gives presentations every other week for new employee training and also at an all-company annual training event.
The idea of using magic came from Pizzini's volunteer work. She's a trained clown; clowns usually have a shtick, she says, and hers is magic. When performing for kids, she uses magic to teach a lesson; she got the company's permission to try the same technique in her training.
Pizzini also uses catchy themes and prizes to entice employees during the annual awareness events. Last year the theme was "Don't duck your responsibility," and included contests in the break room. Employees who correctly answered security questions won prizes like rubber ducks and fish-shaped crackers.
"It doesn't matter what it is, as long as you're giving something away," Pizzini says. "Food works really well. It draws people in, then you get to talk to them about security."
This year's theme was the Olympics, and early planning for last month's event included rubber band target shooting contests and slogans such as "Going for the gold in security." A 2008 office calendar with Olympic-themed images tied into security messages. "We're using those types of things to make it a little more fun," Pizzini says.
To help reinforce the message, security tips are often included in weekly company email updates and snippets of security information change daily on the intranet's front page. "The more times they get the information, the more they remember it," says Pizzini, who is also the manager of Blue Cross' compliance and ethics department.
Indeed, a core component of security awareness training is repetition, security professionals say. Users need to hear messages about strong passwords and phishing scams several times for them to sink in and stick.
"It's not a one-time thing you do and you're done. It's ongoing," says Joan Rose, who leads information security awareness and training at Kaiser Permanente, a health care organization in nine states and Washing-ton, D.C., with more than 150,000 employees.
At the same time, training must be kept fresh; a message can't be told the same way multiple times, Rose adds. Moreover, it has to resonate. "It's a challenge," she says. "People are so busy with their jobs. You have to figure out a way to make it relevant to them."
Materials and More
Here are some of the many resources available for end-user security awareness training.
- The Federal Trade Commission, in partnership with the technology industry and other federal agencies, provides practical tips, videos and tutorials on computer security at www.onguardonline.gov.
- The National Cyber Security Alliance offers security tips for home users and small businesses at www.staysafeonline.info.
- The National Institute of Standards and Technology (NIST) lists resources, including links to companies that sell awareness videos, posters, training modules and other materials, at http://csrc.nist.gov/groups/SMA/ate/index.html. NIST Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program," was prepared for federal agencies, but can be used by nongovernmental organizations: http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf.
- SCIPP International, a nonprofit providing information security awareness training and certification programs for enterprise end users, also offers a safety resource package for home users, at www.scippinternational.org.
One way organizations make security resonate with their employees is by providing home computer security tips.
Kaiser's training program includes a corporate website dedicated to security awareness and geared to the non-technical employee, featuring advice on home computer security and how to keep kids safe online, along with information on legislation like HIPAA and company security policies.
"My philosophy is that if you have good security practices at home, you'll have good security practices at work," Rose says.
The website augments Kaiser's tutorials, which are online, instructor-led or a hybrid, led by an instructor over the phone. Rose also attends Kaiser events on general workforce safety and hands out flyers with tips on laptop security and other topics, and includes security tips in company newsletters and other publications.
"People basically want to do the right thing but they have to know what the right thing to do is, and it has to make sense to them," she says.
At The Weather Channel, home computer security has been a popular topic at quarterly training sessions for the weather information provider's 1,000 employees (see "Parental Guidance," below).
"The more secure they keep their home systems, the more secure they keep the environment that they use to connect to us, and obviously, the more secure we'll be," Penrod says.
Sessions normally focus on one topic, from how to protect children online and various types of malware to how to steer clear of phishing attacks. "You can't bury a person in too much training," Penrod says, noting that security awareness must fit into other types of corporate training.
Support from executive management for promoting security helps, he adds. For example, it gives employees tacit approval to take time off from their jobs for security training.
McAfee offers parents 10 ways to protect their kids online
- Monitor your children's use of the Internet. Put the computer in a high-traffic family area and limit nighttime use.
- Fortify your computer with strong security software.
- Make sure kids understand basic rules for using social networking sites such as MySpace and blogs. They should guard their passwords, and never post personally identifying information or inappropriate photos.
- It's imperative that your kids let you know if they arrange in-person meetings with people they meet online. Before any such meeting, you should confirm the person's identity and accompany your child to the meeting in a public place.
- When using P2P file-sharing programs, kids should not download files from users they don't know.
- Don't allow kids to fill out online forms or surveys.
- Only allow your children to use monitored chat rooms and have them use a screen name that doesn't hint at their true identity.
- Teach your kids to ignore emails and instant messages from people they don't know.
- Use browsers for kids and kid-oriented search engines. Children's browsers such as Kid Browser 1.1 do not display inappropriate words or images. Ask for Kids and Yahooligans perform limited searches and screen search results.
- Let your kids find appropriate and helpful Web sites using lists put together by experts in the field. The American Library Association offers the ALA Great Web Sites for Kids.
A detailed list is available at the McAfee Security Advice Center.
FLEXIBILITY AND CUSTOMIZATION
Care New England Health System, a health care provider based in Providence, R.I., takes a multi-pronged approach to train its employees on safe computer practices and corporate policies on handling sensitive data. There's online training for new employees and annually for all employees, quarterly classroom training, a bimonthly newsletter, and MP3s that offer the newsletter tips in audio format. The organization realized it needed a flexible method to reach all of its 15,000 employees.
"Our employees are notoriously difficult to get to do some of this training because they're really busy," says Larry Pesce, manager of IS security and disaster recovery at Care New England. "We originally tried to do some of the training via email. We hadn't realized that a lot of our staff doesn't access email."
Nurses, for example, are busy treating patients rather than checking email. The MP3s, which are listed on the organization's intranet, allow employees who don't have time to sit down at a computer to read a newsletter to listen to it in the background while they work.
Justin Drain also uses a variety of techniques in his awareness programs. He's the data security manager at Fremont Bank, a community bank in Northern California with about 600 employees. Face-to-face training can have the most impact, says Drain, who spices up his presentations with jokes that entertain and drive home a security point.
"You want to make sure someone who doesn't know anything about IT is going to remember the high-level ideas," he says.
Presentations can be fine-tuned for employee groups with specific security concerns--for instance, those who deal with the public versus those in data entry, Drain says. But he believes Web-based training offers the best bang for the buck because it's flexible and employees can access it during down time in their workday.
Throughout, it's important to help employees understand how security applies to them, Drain says. "We want them to feel engaged and empowered. ...They can say, 'This is how I can do my job better and support my clients better.'"
Spread the Word
Distributing the work of security awareness to employees throughout a company helps get the message across.
Spreading the workload can make for a successful security awareness program, says Dave Shackleford, former CTO at the Center for Internet Security and now director of Configuresoft's Center for Policy & Compliance.
A large, distributed company where he worked used Security Points of Contact (SPOCs), a group of 400 employees, including office managers and administrators, who served as the security contact in their local offices. Rather than sending newsletters or other awareness materials to the entire company, Shackleford and the security team trained the SPOCs, who arranged monthly local get-togethers to share the security tips. In return, the SPOCs would receive small prizes every quarter.
The SPOCs solved the training problem the company faced due to its many remote locations and employees with little computer savvy. They were willing "to give a little of their time and effort outside of their normal duties to be our eyes and ears at these locations," Shackleford says.
Attendance at the local meetings was good and the security team got a sizable response on employee security surveys. The SPOCs were effective because employees heard about security from people they knew rather than a geek from corporate headquarters, he says. "They didn't feel security was being shoved down their throats."
So after all the classes, online training and tips, how does a security professional know whether the effort is paying off? Measuring the effectiveness of awareness training can be tough. How do you measure something that hasn't happened, like a breach?
Many, like Pizzini, rely on informal feedback from employees. Drain says he gauges whether he's getting through to employees based on the questions they ask him. Some use surveys and others test their employees' security awareness via social engineering/ penetration tests.
USA Federal Credit Union has performed social engineering tests the past two years. Last year, an auditor pretending to be a contractor got into a branch break room before employees questioned him. This year, he didn't make it past the lobby at two different branches. Also, phishing emails used as part of the test failed to fool any employees this year, a huge improvement over the 60 percent that fell for them last year.
"I was walking around like a proud mother," says Carolyn James, senior vice president and CIO at USA Federal. "It's just obvious that continual awareness training helps."
James says it's important to remind employees about security without nagging them and to make it fun. Her awareness program involves presentations to new employees and computer-based training that all of the credit union's 220 employees must take annually. She regularly sends emails or posts items on the company intranet, and sometimes includes funny pictures to catch users' attention. She's also given out stress balls in the shape of a key and printed with the slogan, "You are the key to security."
Some argue that employees will take training seriously if they know there are consequences for security miscues--reprimands or even termination. But many, like James, try to avoid scare tactics. In staff meetings and company-wide emails, she praises employees who send her phishing emails they receive or notify her of other suspicious activity.
The positive reinforcement pays off: "People email me on a regular basis when they find something that looks suspicious," James says. "It's almost like I have my own posse."
Publishing a list of employees whose passwords successfully passed an auditor's strength test sparked some healthy competition between employees, who eagerly called her to find out how their passwords fared. "They were shocked that a password they considered secure was cracked in 15 seconds," James says.
Care New England also tests whether employees are taking security lessons to heart. It uses software from Core Security Technologies to send out emails that measure how employees respond to phishing and other email threats. "If they click on a link, you remind them of the training and they say, 'Oh, I get it now'," Pesce says.
Some security experts debunk training as useless. For instance, Marcus Ranum wrote that user education was one of the six dumbest ideas in computer security. If it was going to work, it would have worked by now, he argues. And some security specialists, Pesce says, argue that it's better just to lock down everything instead of relying on humans to do the right thing--a notion with which he partially disagrees.
"We can only do so much to secure the systems, manage risk and still have them usable," he says "Even if we only catch 50 percent of our users with this [training], that's still 50 percent we wouldn't have if we hadn't done it."
Pizzini, meanwhile, is always on the lookout for new magic tricks to add to her lessons.
Security awareness training is critical to an overall information security program, she says: "The more education you provide, the better off you are."