RISK MANAGEMENT STRATEGIES
Employees: Your best defense, or your greatest vulnerability
Neal O'Farrell
06.28.2001
Rating: -4.18- (out of 5)
Employees: Your best defense, or your greatest vulnerability
By Neal O'Farrell, a searchSecurity.com advisor
It's one of the many unpleasant realities of the constant battle to
protect the enterprise. The more you invest in the physical and
technology perimeters, the more vulnerable the human perimeter
becomes. The more effective you are at keeping intruders out of your
networks, the more likely they are to focus on your employees
instead.
And despite the recent Gartner Group claim that major firms will be
spending as much as 4% of annual revenue on security by the end of
this decade, untrained employees will continue to be the sleeping
sentries that turn corporate security into Swiss cheese.
This is the new battlefront. If you don't back up your investment in
security technology with an equal (and relentless) commitment to
training, your employees will do more harm to your reputation than a
horde of hackers. As famed hacker Kevin Mitnik observed recently,
"You can have the best technology, firewalls, intrusion-detection
systems, biometric devices. All it takes is a call to an unsuspecting
employee, and that's all she wrote, baby. They got everything."
Turning employees into sentries requires a fresh approach to training
that does not rely on endless lists of security rules, or sporadic
warnings from IT. Employees must be shown how their behavior can
contribute to the vulnerability of their workplace, and that for
security to be effective, it must become as second nature as being
polite to customers.
How to reinforce the human perimeter
Employees can be forgiven for assuming that they have no significant
role to play in security. Few employees receive regular security
training, and most receive none. In many organizations, security is
still the responsibility of the IT department, a department most
employees simply regard as the people responsible for the printer not
working again.
The media focus on the advancement of security technologies,
especially antivirus and firewall, may also have lulled employees
into the belief that if security technology is in place, their
behavior cannot pose a risk.
Until humans begin to act like machines and not be influenced by
perception, subjectivity and a desire to be helpful, they will
continue to expose the enterprise to vulnerability. Well trained and
constantly vigilant employees won't guarantee that this perimeter
will hold against all attacks all of the time, but will certainly
increase the organization's rings of defense against some of the most
common exploits.
In its efforts to maximize the power of the Human Perimeter, the
organization should incorporate the following principles into its
security training efforts:
Re-humanize the threat. Both the media and the security industry have
been very successful in demonizing hackers. The traditional "scold"
school of training -- "hackers are bad" or "attachments can harbor
viruses" just because we say so -- is not an effective way to teach.
Introduce your employees to the enemy. Employees need to know who
these hackers and virus authors are, what their motives are, and why
it's so important to keep them beyond the perimeter.
Enlist all employees as accomplices in a conspiracy to defeat
hackers. The success of Neighborhood Watch around the world
demonstrates the success of enlisting citizens in a common and worthy
fight against crime. All employees should consider themselves
sentries engaged in a joint effort to protect their workplace from
assault.
Think Security. Then click. Whether it's checking e-mail, answering a
telephone, or logging off for the day, employees must be encouraged
to think security into every action they take and every decision they
make. Only when security becomes second nature will it become truly
effective.
Don't leave it IT. Even in a down economy, most IT departments are
over-worked and understaffed -- building out the infrastructure to
keep the organization competitive, maintaining and servicing existing
technology and never-ending reliability issues, and fighting a
constant battle with network intruders.
When you add to the mix the realization that few IT staff are
engaging communicators or experienced trainers, it's easy to
understand why many employees fail to make a workable connection with
IT staff.
Punish the crime. Clicking on a suspicious e-mail attachment when the
user knows it's against the rules may not be a crime, but it should
be an offense -- and a punishable one. When warning, cajoling and
pleading fail to persuade a user to modify behavior, then discipline
should. There must come a time in every organization when "I didn't
know" is no longer a defense against risky or reckless behavior.
Try the "Short, Sharp, Shock" approach. Short, regular bursts of
information will be retained far longer than less frequent but more
intensive training. Pick the most important security lessons your
employees need to know, condense them into short training briefs, and
repeat them often.
You don't need any more experts. Don't expect your employees to
become experts in network monitoring or virus scanning. Try to make
security training like driver training. While the proper use of turn
signals and the attention to the appropriate speed are all-important
safety issues for every driver all the time, they don't constitute a
second or separate test. They are simply part of the practice of
maneuvering safely to avoid a serious incident.
Make it relevant. Employees are more likely to forget or ignore
advice that has no relevance to their job, and "one lesson for all"
just doesn't work. It's therefore important that employees make the
connection between the lessons taught and the task at hand. For
example, employees involved in accounting or transaction processing
in a business that takes on-line credit card orders are far more
likely to remember security lessons focused on protecting credit card
files and personal customer information and on privacy issues.
That important security information might not seem so important or
relevant to a telephonist, receptionist, or delivery driver, who are
more likely to meet or speak with an intruder and be much more
susceptible to social engineering.
Give lessons in social engineering. Employees must be able to spot
the warning signs of social engineering -- when an intruder poses as
a legitimate party like a customer, network administrator, or vendor
representative and attempts to bluff sensitive information from an
employee. Just as an antivirus product scans incoming files for
suspect virus signatures based on its library of definitions,
employees must have a library of warnings to detect the telltale
signature of the social engineer.
Build a big red button. In days of yore sentries on hillsides and
watchtowers used fire and horns to warn of an approaching enemy.
Their vigilance would have been pointless without the ability to
sound the warning. Vigilance is only partially effective if employees
do not have a clear and immediate system of reporting suspicious
activity or events. It's therefore important to create an incident
reporting policy and system that gives employees a simple way to
report their suspicions, anonymously if they choose.
Managing the risks from inside. If a bank employee donned a mask in
front of fellow employees, brandished a weapon and politely requested
those employees for the contents of their tills, those employees
would not expect, or want, to keep quiet about the incident. These
analogies must be used to convince all employees that the majority of
computer offenses are committed by employees, that many of these
offenses are serious crimes, and whether they are crimes or offenses,
they could put the organization's profitability, competitiveness,
reputation and future at risk.
Give them something to take home. Cybercrime is a major social issue,
and another way to make security matter to employees at work is to
make it matter outside work.
Teach employees security skills that offer added value beyond the
workplace -- protecting their families from cybercrime, protecting
their kids online, protecting their identities from theft or adding a
new and vital skill to their resumes.
About the author:
Neal O'Farrell is CEO of Hackademia, a firm focused on security
education. He's a twenty-year veteran of information security, former
hacker and original Code Rebel. He's also editor of The Zone, the
security newsletter published by Internet security firm Zone Labs,
where his unique take on cybercrime is dispensed to nearly 3 million
subscribers across more than 100 countries every month. Neal is host
of the Breach of Trust Security Briefings for Lawyers and speaks on
Internet security issues to audiences around the nation.
He has recently launched an on-site and Web-based security seminar
for employees called The Human Perimeter.
As part of the searchSecurity advisory team, Neal fields questions
for our Ask the Expert feature concerning end users, e-mail and
encryption.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
