Your company has security policies, but can you prove your employees know the policies related to their jobs? If you answer no, then you may have trouble enforcing your policies. Handing employees the policies on their first day of work isn't enough either.
"Employees on their day of hire have 50 gazillion things to sign, ranging from benefits to 401k forms. Chances are they don't pay a lot of attention to material about computer security," said Steve Kahan, vice president of marketing for Houston-based PentaSafe Security Technologies Inc. and president of the Human Firewall Council.
The council is made up of security professionals, analysts, vendors, government officials and academics. Its mission is to raise the security awareness of organizations by providing research and tools to make employees more aware of the need for security. The council provides benchmarks for employee security awareness and for security management practices in the organization. The benchmarks allow companies to see how they stack up compared with companies of similar size in the same industry.
The council did a study looking at the security awareness of more than 1,500 organizations and found few companies at which employees truly know the security policies. "Typically, you would find even people in the security departments don't know all the policies," Kahan said.
At one point, members of the council walked around Victoria Station in London with a BBC camera crew asking passersby for their passwords. Eight out of 10 people willingly gave it on camera, Kahan said. "They didn't understand their password-disclosure policies," he said.
Getting employees to understand password and other security policies is imperative if the policies are going to be enforceable. Human resources departments at companies today do a good job educating employees about sexual harassment policies. On the other hand, a lot of human resources workers probably aren't that familiar with their company's security policies themselves, Kahan said.
A good first step in educating employees about security policy is figuring out which policies impact which employees. "A salesperson who uses a laptop on the road will have different things to know than an administrator in the IT department," Kahan said. "If you give people things that don't apply to them, they won't read."
Distributing germane policies to the proper employees is only the first step. Companies then need to test employees to verify that they know the policies, Kahan said. There are Web-based systems available to quiz and verify that employees know the policy; such tools are available from companies like NetIQ Corp. of San Jose, Calif. These systems tell security managers which workers need additional training.
Testing doesn't need to be boring. Companies can be pretty innovative about it. A major antivirus vendor recently sent out a bogus e-mail with an attachment to its employees. The purpose of the exercise was to see what people would do with suspicious e-mails. A few opened it. Most just deleted it. Some sent it to the proper person who screens such things.
In addition to making sure employees know policies, there have to be structures in place to make sure employees can bring security incidents to the attention of the security department, Kahan said. For example, employees would know what to do if they saw someone breaking into a car in the company parking lot. They would inform security guards, who would handle it.
If employees understand policy, they can be the security department's eyes and ears in the office, on the lookout for security risks. Naturally, employees do this unconsciously when they walk through the parking lot. If they see a car being broken into, they report it.
Frank Jaffe, CSO of Portland, Maine-based electronic payment provider Clareon Corp., runs annual security training sessions that include a security brainstorming session. Employees have the opportunity to talk about security issues they see in their jobs. "There is an element of risk, but it is a good idea," he said.
Jaffe also encourages employees to talk about security incidents they have faced. For example, one employee got a virus at home. Jaffe had the employee talk about what he learned from the experience. Several employees approached Jaffe afterward for recommendations about home antivirus software. "I didn't want to show that he was dumb but help people understand how security really is important," Jaffe said.