Tony Neate, managing director of U.K-based Get Safe Online, a joint public-private security education initiative aimed at individuals and small companies, is a passionate proponent of security awareness initiatives. In a time when more than three-quarters of the U.S. population and three-fifths of the U.K. population use the Internet regularly, he believes governments, ISPs, vendors and enterprises have a joint responsibility to teach the public not only how to protect themselves and their companies, but also about the increasingly complex ways in which they can be victimized.
Neate argues the public should know as much about how vulnerable they are to phishing and hacking as they know about robbery and burglary.
Neat's organization uses the typical strategies for boosting awareness: events, competition, public outreach, and even the institution of the recent National Cybersecurity Awareness Month. And Neate calls for companies to spend more resources on expert speakers, statistics and research, attack scenarios and behavioral training. However, here, the article mentions, is where the debate around security awareness becomes contentious.
In many organizations, the security staff is already stretched too thin, the budget for security awareness training is nonexistent, and even when security awareness programs are implemented, they are often ineffective because, as Lance Spitzner writes in the October 2010 issue of Information Security, "Nothing is more boring to employees then having to sit through hours of training, and being told what they can and cannot do for the benefit of the company." Ah, realism. Refreshing. Here are several points made by people interviewed in the article that serve as the alternatives to Neate's plan.
1. Scare the awareness into them.
"A lot of day-to-day security professionals think security awareness is a waste of time," said Mike Rothman, analyst and president at Phoenix-based security research and advisory firm Securosis LLC and author. "These folks need to take a step back and have the awareness to do [security awareness] correctly; it can minimize the percentage of people who do stupid things, which allows you, the security professional, to focus on the minority of people who are going to do stupid things no matter how much you train them not to."
Rothman advocates a pointed security awareness strategy for enterprises that shuns formal training and instead focuses on tests for individuals or groups of users that mimic the real-world risk scenarios users often face when sensitive personal or business data may be at risk.
"By running an internal phishing experiment, for instance, when users [fall prey] to it, then you have the opportunity to educate them on how they can identify those messages," Rothman said. "Those kinds of awareness programs are an order of magnitude more effective than a sign by the bathroom or a four-hour training once a year."
2. Make it about helping the individual, not the corporation.
Almost as controversial as security awareness training methods is the question of whether enterprises should train employees on how to keep their personal data safe. Neate said a large organization he has worked with in the U.K., after finding traditional security awareness training ineffective, decided to instead focus their training sessions on teaching users how to use the Internet securely at home.
"They got droves of people to attend because people realized it was going to be useful to them at home, but it works both ways, at home and at work," Neate said.
Similarly, Rothman said companies should worry about how employees conduct themselves online when they are not on the clock. Clicking on a malicious Facebook app while using a company laptop, after all, can still put sensitive enterprise data at risk. Rothman also noted that if parents know how to act securely online, they'll pass that knowledge to their kids.
"How do we protect this next generation of kids who have all these tools at their disposal so they grow up knowing how to use them responsibly?" Rothman asked. "That's one of the most significant issues we have in today's tech-enabled society."
I knew it was Cybersecurity Awareness Month in October, but that was about the extent of how it affected me. It seemed the media didn't really care, and while security-savvy blogs and professionals probably learned one or two new things in honor of the special time of year, people like you or me probably didn't do or learn anything different than usual because frankly, most people don't see what personal benefit would come from knowing more about IS threats, nor do they have the fear of the consequences of a lack of awareness.
I would argue for a combination of both the first and second strategies, and ditch Neate's altogether. There's something to this idea of appealing to people's interest in protecting themselves over the corporation. Human nature is tuned for self-preservation. Companies can hope that through the transitive property, teaching employees how to be safe online at home will generate safer behavior online at work. Further, the training will be more effective in the first place because its about the individual, not the corporation.
Finally, who hasn't heard someone say "Man, ever since X happened, I never do Y anymore"? I think it would be pretty interesting (although perhaps unethical) to do some white hat hacking and run phishing schemes on employees. Much like in airport screening points, the person who monitors the baggage X-Ray is shown an image of a bag with a bomb that isn't really in the machine, and is supposed to alert their superior. The superior knows when this test is going to happen and to whom, so if he or she is never notified, that employee can be seen as a threat to the airport's security.
And frankly, that employee will probably become more diligent after making that mistake. I think things would operate quite similarly with members of a company when "put to the test." Of course, this might raise some legal and ethical issues, but given the ends, I tend to think the means make sense.
In summary, my ideal IS awareness and training strategy would incorporate the proliferation of fear and exploit our self-interested human nature. Does that make me a jerk?
Posts
No comments:
Post a Comment