Nothing circumvents pricey defense-in-depth faster than people; educating workers about security is essential.
To deal with this dilemma, Lynne Pizzini pulls out her bag of tricks--literally. In training presentations at Blue Cross and Blue Shield of Montana, she incorporates magic. One of her tricks uses colored scarves to illustrate the importance of strong passwords and the different elements that go into them; the result is a single, multi-colored scarf.
Another trick aims to get employees to understand that they, with all their access to data, pose the greatest security risk. Pizzini displays cards that illustrate seven security risks discussed in the presentation and shuffles them face down, however many times a participant indicates. Then Pizzini spells out "right" by flipping one card for each letter of the word (indicating that employees always want to do what's right); the "employees" card always appears as the letter "t" is reached.
Pizzini, security and privacy official at Blue Cross, says she found magic effective when she first used it a couple of years ago in a series of presentations to the health insurer's 700 employees. Afterward, employees told her they remembered her trick. "It was awesome for me to discover that it actually works," she says.
Pizzini's method may be unique, but organizations are using everything from online tutorials, newsletters, MP3s and prizes to get the security message across to their rank and file, all in an effort to protect themselves from the perennial weakest link: people. While companies spend tens of thousands of dollars on security technologies such as firewalls and access controls, their employees can undercut those defense mechanisms by sharing passwords, falling for social engineering scams, or just not being aware of corporate security policies (see "10 Best Practices," below).
In Deloitte Touche Tohmatsu's 2007 Global Secu-rity Survey, close to 80 percent of financial services respondents cited the human factor as the root cause for information security failures. Despite the threat, nearly a quarter of those surveyed hadn't provided any security awareness training in the past year.
Many organizations focus their training efforts on IT workers rather than their non-technical users, relegating security to a technical problem, says Rob Cheyne, CEO of training firm Safelight Security Advisors. But regulatory requirements and a slew of data breaches are leading more businesses to expand their focus. "We're starting to see a mental migration," says Winn Schwartau, founder of SCIPP International, a nonprofit provider of end-user security awareness training and certification (see "Keys to Success," below).
In fact, with corporate emphasis on governance, risk management and compliance, awareness training is more important than ever, says Howard Schmidt, former White House cybersecurity adviser and (ISC)2 security strategist. "The weak link, as we've seen time and again, is the employee/end user," he says.
Compliance aside, training non-technical employees is simply an essential part of an information security program for many security professionals.
"Training by itself doesn't solve all your security issues, of course, but just raising the awareness of any of your employees will add to the level of security you have as a company," says John Penrod, CISO at The Weather Channel.
MAGIC AND MORE
The idea of using magic came from Pizzini's volunteer work. She's a trained clown; clowns usually have a shtick, she says, and hers is magic. When performing for kids, she uses magic to teach a lesson; she got the company's permission to try the same technique in her training.
Pizzini also uses catchy themes and prizes to entice employees during the annual awareness events. Last year the theme was "Don't duck your responsibility," and included contests in the break room. Employees who correctly answered security questions won prizes like rubber ducks and fish-shaped crackers.
"It doesn't matter what it is, as long as you're giving something away," Pizzini says. "Food works really well. It draws people in, then you get to talk to them about security."
This year's theme was the Olympics, and early planning for last month's event included rubber band target shooting contests and slogans such as "Going for the gold in security." A 2008 office calendar with Olympic-themed images tied into security messages. "We're using those types of things to make it a little more fun," Pizzini says.
To help reinforce the message, security tips are often included in weekly company email updates and snippets of security information change daily on the intranet's front page. "The more times they get the information, the more they remember it," says Pizzini, who is also the manager of Blue Cross' compliance and ethics department.
Indeed, a core component of security awareness training is repetition, security professionals say. Users need to hear messages about strong passwords and phishing scams several times for them to sink in and stick.
"It's not a one-time thing you do and you're done. It's ongoing," says Joan Rose, who leads information security awareness and training at Kaiser Permanente, a health care organization in nine states and Washing-ton, D.C., with more than 150,000 employees.
At the same time, training must be kept fresh; a message can't be told the same way multiple times, Rose adds. Moreover, it has to resonate. "It's a challenge," she says. "People are so busy with their jobs. You have to figure out a way to make it relevant to them."
Kaiser's training program includes a corporate website dedicated to security awareness and geared to the non-technical employee, featuring advice on home computer security and how to keep kids safe online, along with information on legislation like HIPAA and company security policies.
"My philosophy is that if you have good security practices at home, you'll have good security practices at work," Rose says.
The website augments Kaiser's tutorials, which are online, instructor-led or a hybrid, led by an instructor over the phone. Rose also attends Kaiser events on general workforce safety and hands out flyers with tips on laptop security and other topics, and includes security tips in company newsletters and other publications.
"People basically want to do the right thing but they have to know what the right thing to do is, and it has to make sense to them," she says.
At The Weather Channel, home computer security has been a popular topic at quarterly training sessions for the weather information provider's 1,000 employees (see "Parental Guidance," below).
"The more secure they keep their home systems, the more secure they keep the environment that they use to connect to us, and obviously, the more secure we'll be," Penrod says.
Sessions normally focus on one topic, from how to protect children online and various types of malware to how to steer clear of phishing attacks. "You can't bury a person in too much training," Penrod says, noting that security awareness must fit into other types of corporate training.
Support from executive management for promoting security helps, he adds. For example, it gives employees tacit approval to take time off from their jobs for security training.
FLEXIBILITY AND CUSTOMIZATION
"Our employees are notoriously difficult to get to do some of this training because they're really busy," says Larry Pesce, manager of IS security and disaster recovery at Care New England. "We originally tried to do some of the training via email. We hadn't realized that a lot of our staff doesn't access email."
Nurses, for example, are busy treating patients rather than checking email. The MP3s, which are listed on the organization's intranet, allow employees who don't have time to sit down at a computer to read a newsletter to listen to it in the background while they work.
Justin Drain also uses a variety of techniques in his awareness programs. He's the data security manager at Fremont Bank, a community bank in Northern California with about 600 employees. Face-to-face training can have the most impact, says Drain, who spices up his presentations with jokes that entertain and drive home a security point.
"You want to make sure someone who doesn't know anything about IT is going to remember the high-level ideas," he says.
Presentations can be fine-tuned for employee groups with specific security concerns--for instance, those who deal with the public versus those in data entry, Drain says. But he believes Web-based training offers the best bang for the buck because it's flexible and employees can access it during down time in their workday.
Throughout, it's important to help employees understand how security applies to them, Drain says. "We want them to feel engaged and empowered. ...They can say, 'This is how I can do my job better and support my clients better.'"
Many, like Pizzini, rely on informal feedback from employees. Drain says he gauges whether he's getting through to employees based on the questions they ask him. Some use surveys and others test their employees' security awareness via social engineering/ penetration tests.
USA Federal Credit Union has performed social engineering tests the past two years. Last year, an auditor pretending to be a contractor got into a branch break room before employees questioned him. This year, he didn't make it past the lobby at two different branches. Also, phishing emails used as part of the test failed to fool any employees this year, a huge improvement over the 60 percent that fell for them last year.
"I was walking around like a proud mother," says Carolyn James, senior vice president and CIO at USA Federal. "It's just obvious that continual awareness training helps."
James says it's important to remind employees about security without nagging them and to make it fun. Her awareness program involves presentations to new employees and computer-based training that all of the credit union's 220 employees must take annually. She regularly sends emails or posts items on the company intranet, and sometimes includes funny pictures to catch users' attention. She's also given out stress balls in the shape of a key and printed with the slogan, "You are the key to security."
Some argue that employees will take training seriously if they know there are consequences for security miscues--reprimands or even termination. But many, like James, try to avoid scare tactics. In staff meetings and company-wide emails, she praises employees who send her phishing emails they receive or notify her of other suspicious activity.
The positive reinforcement pays off: "People email me on a regular basis when they find something that looks suspicious," James says. "It's almost like I have my own posse."
Publishing a list of employees whose passwords successfully passed an auditor's strength test sparked some healthy competition between employees, who eagerly called her to find out how their passwords fared. "They were shocked that a password they considered secure was cracked in 15 seconds," James says.
Care New England also tests whether employees are taking security lessons to heart. It uses software from Core Security Technologies to send out emails that measure how employees respond to phishing and other email threats. "If they click on a link, you remind them of the training and they say, 'Oh, I get it now'," Pesce says.
Some security experts debunk training as useless. For instance, Marcus Ranum wrote that user education was one of the six dumbest ideas in computer security. If it was going to work, it would have worked by now, he argues. And some security specialists, Pesce says, argue that it's better just to lock down everything instead of relying on humans to do the right thing--a notion with which he partially disagrees.
"We can only do so much to secure the systems, manage risk and still have them usable," he says "Even if we only catch 50 percent of our users with this [training], that's still 50 percent we wouldn't have if we hadn't done it."
Pizzini, meanwhile, is always on the lookout for new magic tricks to add to her lessons.
Security awareness training is critical to an overall information security program, she says: "The more education you provide, the better off you are."