A major leak in enterprise security is often caused by something that information security teams cannot physically control: the security of the users themselves. Infosec pros can patch systems, keep antivirus up to date, and surround the critical infrastructure with firewalls until they are blue in the face, but enterprises are still only as safe as the level of their users' security awareness.
As long as users have access to outside email, social networking sites and the like, organizations will continue to have security issues.
Until a couple of years ago, users at my organization had no fear of email. If a subject line looked remotely interesting, they would open it. If the email included a link or attachment in addition to a catchy subject line, they would follow it. It's hard to blame them, as some malicious emails look very convincing to the untrained eye. But for years, clicking without conscience caused my help desk a lot of grief.
I have tackled...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
this user problem in my organization by working to make my users 'cyber-aware'. I do this by publishing a weekly cybersecurity tip. These tips, which are distributed via email to my entire organization, combine a bit of humor with a hefty dose of cyber wisdom. I use current trends as well as threats that have been around for a long time to educate my users, sometimes including links to related articles on the Web. My users may not be any smarter than anyone else concerning how a computer operates, but they know what not to click on in an email -- and my antivirus logs prove it is working.
In fact, my current virus count is down more than 75% since I started the program and I believe I currently have some of the most cyber-aware users on the planet. This not only aids my help desk with less work, (and saved man hours which equate to saved dollars) but many of my tips also get forwarded to users' family and friends. This spreads the wealth exponentially, with the results being a more secure computing environment at users' homes.
Here's a copy of a typical cyber tip:
Writing these notes is easy once you get the hang of it. Start by scanning the Web for topics based on the latest threat, then throw in a little humor to keep readers interested. The emails don't just have to be about viruses either. Take a break from the doom and gloom and occasionally have holiday-themed tips. For example, during the Christmas holiday season, I always send out a tip about safe online shopping. Send these tips to your organization via email, or maybe post them on your corporate intranet. After doing this for a couple of years, I've found that my users have begun to provide me with ideas by sending in questions or examples of malicious emails they've received.
The goal is to help users identify malicious messages and take pride in their own ability to do so. Once users reach that point, help desk will thank you. So go ahead, secure your infrastructure. Stay up to date with patching/antivirus on your client devices and servers, and keep watching those firewall/IDS logs, but if you want to make your job much easier, secure your users by working to increase their security awareness.
About the author:
Ed Gallagher is the security administrator for the Orange County Sheriff's Office in Orange County, FL.
