SAN FRANCISCO -- Companies often spend millions of dollars on the latest security technologies, and they log many hours crafting strong security policies. But all it takes is one employee to goof up, and all the security afforded by technology and policy is for naught.
Sound security cannot be accomplished by policy and technology alone. Investments have to be made in the human piece of security.
Don't rely too heavily on people
A balance must be struck among process, technology and people. Relying too much on one element exposes organizations to a host of problems, said Joseph Mangin, a security architect for Sun Microsystems Inc.'s professional services unit, last week during RSA Conference 2003. For example, people-centric organizations rely mostly on human action to remain secure. But such a scenerio is affected vacation and sick time because the people responsible for certain tasks are out. Additionally, people are prone to making mistakes.
Government agencies tend to be more process-oriented, which means that activities are constantly validated and documented -- which minimizes the uncertainty associated with the human element. So when employees are discharged or leave voluntarily, it doesn't necessarily affect how things are done. This approach can make enforcement objective because it doesn't rely on specific people. On the other hand, relying so much on the process can take a lot of time as workers deal with documentation and other rules.
A technology-centric company experiences problems because technology is often very fragmented within an organization. "Also, technology is often bought as a point solution, not to meet a strategy or a plan," Mangin said.
Making employees a defense, not a threat
After a company sorts out its macro-level view of technology, process and people, it can then drill down a little deeper into the human element. The knee-jerk reaction for most companies when it comes to security is to invest in technology, not user training.
Former hacker Kevin Mitnick does user-awareness training, in addition to other consulting work. With most employee-caused security breaches, employees have fallen for tricks -- they weren't acting out of malice. "They tend to give others the benefit of the doubt," Mitnick said at the RSA conference. "People don't understand the consequences of their actions."
Sometimes people do intentionally put an enterprise at risk, as in the case of the stereotypical disgruntled employee who gets passed over for a promotion. But in most cases, employees unwittingly expose the company to risk. For example, an employee who checks his Web-based personal e-mail account at work may be circumventing the company's defenses and allow a worm or virus to sneak in. Some experts think the spread of the Klez.H worm was due in part to employees checking their personal e-mail accounts at work.
User-awareness training helps companies guard against unintentional security gaffes. Training essentially makes security second nature to employees and alerts them to the security risks posed by their actions.
A good place to start is a kick-off event just to get people thinking about security, said Rich Holstein, senior vice president of technical operations for Sunnyvale, Calif.-based Blue Coat Systems. This could take the form of a little party or lunch. Posters and other materials can help reinforce the message of sound security. The information push should be aimed at the people with the least knowledge. Additionally, information should be made available in bite-sized pieces, so it doesn't overwhelm employees. "You can fit a tremendous amount of information in just a single paragraph," he said.
Perhaps the best way to deliver the information is through the Web. Formal classroom settings tend not to be as effective because people have varying knowledge levels. "The people who should ask questions don't because they are afraid of looking stupid," Holstein said.
Also, online training offers some other important benefits, Holstein said. Employees can learn at their own pace, and the systems are pretty easy to manage. Also, companies using Web-based training can document that employees actually completed instruction. This can come in handy if a company wants to discipline an employee for doing something in violation of security policy.
Web-based delivery systems can be built in-house or purchased. That decision should be made based on the skills and knowledge a company has. Purchased products are fine, as long as the content can be customized so it fits with individual security policies, Holstein said.
FOR MORE INFORMATION:
- FEEDBACK: Share your creative user education tips and techniques with the SearchSecurity.com news team.