Problem solve Get help with specific problems with your technologies, process and projects.

Employees: Your best defense, or your greatest vulnerability

SearchSecurity advisor Neal O'Farrell addresses employee education in this edition of the Executive Security Briefing.

Employees: Your best defense, or your greatest vulnerability
By Neal O'Farrell, a advisor

It's one of the many unpleasant realities of the constant battle to protect the enterprise. The more you invest in the physical and technology perimeters, the more vulnerable the human perimeter becomes. The more effective you are at keeping intruders out of your networks, the more likely they are to focus on your employees instead.

And despite the recent Gartner Group claim that major firms will be spending as much as 4% of annual revenue on security by the end of this decade, untrained employees will continue to be the sleeping sentries that turn corporate security into Swiss cheese.

This is the new battlefront. If you don't back up your investment in security technology with an equal (and relentless) commitment to training, your employees will do more harm to your reputation than a horde of hackers. As famed hacker Kevin Mitnik observed recently, "You can have the best technology, firewalls, intrusion-detection systems, biometric devices. All it takes is a call to an unsuspecting employee, and that's all she wrote, baby. They got everything."

Turning employees into sentries requires a fresh approach to training that does not rely on endless lists of security rules, or sporadic warnings from IT. Employees must be shown how their behavior can contribute to the vulnerability of their workplace, and that for security to be effective, it must become as second nature as being polite to customers.

How to reinforce the human perimeter

Employees can be forgiven for assuming that they have no significant role to play in security. Few employees receive regular security training, and most receive none. In many organizations, security is still the responsibility of the IT department, a department most employees simply regard as the people responsible for the printer not working again.

The media focus on the advancement of security technologies, especially antivirus and firewall, may also have lulled employees into the belief that if security technology is in place, their behavior cannot pose a risk.

Until humans begin to act like machines and not be influenced by perception, subjectivity and a desire to be helpful, they will continue to expose the enterprise to vulnerability. Well trained and constantly vigilant employees won't guarantee that this perimeter will hold against all attacks all of the time, but will certainly increase the organization's rings of defense against some of the most common exploits.

In its efforts to maximize the power of the Human Perimeter, the organization should incorporate the following principles into its security training efforts:

Re-humanize the threat. Both the media and the security industry have been very successful in demonizing hackers. The traditional "scold" school of training -- "hackers are bad" or "attachments can harbor viruses" just because we say so -- is not an effective way to teach. Introduce your employees to the enemy. Employees need to know who these hackers and virus authors are, what their motives are, and why it's so important to keep them beyond the perimeter.

Enlist all employees as accomplices in a conspiracy to defeat hackers. The success of Neighborhood Watch around the world demonstrates the success of enlisting citizens in a common and worthy fight against crime. All employees should consider themselves sentries engaged in a joint effort to protect their workplace from assault.

Think Security. Then click. Whether it's checking e-mail, answering a telephone, or logging off for the day, employees must be encouraged to think security into every action they take and every decision they make. Only when security becomes second nature will it become truly effective.

Don't leave it IT. Even in a down economy, most IT departments are over-worked and understaffed -- building out the infrastructure to keep the organization competitive, maintaining and servicing existing technology and never-ending reliability issues, and fighting a constant battle with network intruders.

When you add to the mix the realization that few IT staff are engaging communicators or experienced trainers, it's easy to understand why many employees fail to make a workable connection with IT staff.

Punish the crime. Clicking on a suspicious e-mail attachment when the user knows it's against the rules may not be a crime, but it should be an offense -- and a punishable one. When warning, cajoling and pleading fail to persuade a user to modify behavior, then discipline should. There must come a time in every organization when "I didn't know" is no longer a defense against risky or reckless behavior.

Try the "Short, Sharp, Shock" approach. Short, regular bursts of information will be retained far longer than less frequent but more intensive training. Pick the most important security lessons your employees need to know, condense them into short training briefs, and repeat them often.

You don't need any more experts. Don't expect your employees to become experts in network monitoring or virus scanning. Try to make security training like driver training. While the proper use of turn signals and the attention to the appropriate speed are all-important safety issues for every driver all the time, they don't constitute a second or separate test. They are simply part of the practice of maneuvering safely to avoid a serious incident.

Make it relevant. Employees are more likely to forget or ignore advice that has no relevance to their job, and "one lesson for all" just doesn't work. It's therefore important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders are far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues.

That important security information might not seem so important or relevant to a telephonist, receptionist, or delivery driver, who are more likely to meet or speak with an intruder and be much more susceptible to social engineering.

Give lessons in social engineering. Employees must be able to spot the warning signs of social engineering -- when an intruder poses as a legitimate party like a customer, network administrator, or vendor representative and attempts to bluff sensitive information from an employee. Just as an antivirus product scans incoming files for suspect virus signatures based on its library of definitions, employees must have a library of warnings to detect the telltale signature of the social engineer.

Build a big red button. In days of yore sentries on hillsides and watchtowers used fire and horns to warn of an approaching enemy.

Their vigilance would have been pointless without the ability to sound the warning. Vigilance is only partially effective if employees do not have a clear and immediate system of reporting suspicious activity or events. It's therefore important to create an incident reporting policy and system that gives employees a simple way to report their suspicions, anonymously if they choose.

Managing the risks from inside. If a bank employee donned a mask in front of fellow employees, brandished a weapon and politely requested those employees for the contents of their tills, those employees would not expect, or want, to keep quiet about the incident. These analogies must be used to convince all employees that the majority of computer offenses are committed by employees, that many of these offenses are serious crimes, and whether they are crimes or offenses, they could put the organization's profitability, competitiveness, reputation and future at risk.

Give them something to take home. Cybercrime is a major social issue, and another way to make security matter to employees at work is to make it matter outside work.

Teach employees security skills that offer added value beyond the workplace -- protecting their families from cybercrime, protecting their kids online, protecting their identities from theft or adding a new and vital skill to their resumes.

About the author:
Neal O'Farrell is CEO of Hackademia, a firm focused on security education. He's a twenty-year veteran of information security, former hacker and original Code Rebel. He's also editor of The Zone, the security newsletter published by Internet security firm Zone Labs, where his unique take on cybercrime is dispensed to nearly 3 million subscribers across more than 100 countries every month. Neal is host of the Breach of Trust Security Briefings for Lawyers and speaks on Internet security issues to audiences around the nation.

He has recently launched an on-site and Web-based security seminar for employees called The Human Perimeter.

As part of the searchSecurity advisory team, Neal fields questions for our Ask the Expert feature concerning end users, e-mail and encryption.

This was last published in June 2001

Dig Deeper on Security Awareness Training and Internal Threats-Information