Tuesday, November 20, 2012

Counter Cybercrime - Turn insiders(employees) into assets

Security Awareness and Education

Darkreading has a very good article today - Four Ways to Turn Insiders into Assets

In general, I like the idea as I'm a believer of putting more effort on security awareness and education.

Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)

1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are driven by compliance requirements and just want to get the box checked for training their employees, says Aaron Cohen, a managing partner at MAD Security, a security training firm.  

Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.

2. Test and retest
Videos may work for some employees, but testing their reaction to an actual test can give a company an idea of what might happen, while giving the worker valuable experience in what to expect in the future. Security training company PhishMe, for example, allows companies to send their employee phishing e-mails. Anyone who clicks on the e-mail link will be brought to a special site to educate them.  

Securityisfun:  I found the idea of using "PhishMe" is brilliant and I believe it is an effective way. I did similar test with the "screen lock policy" and I can vouch that the result was indeed excellent. Sometimes, people need to learn from "mistake" :)

3. Teach the individual
Yet, periodic testing and video training are not the only ways to solve the training problem, says Cohen. The training should be tailored to the company and the individuals who work there.

Securityisfun:  Yes. There is no one silver bullet for all. Awareness training has to be tailored for the target individuals or groups. Threat scenarios for a System Admin are not the same as that for Finance Admin.

4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link, submitting their credentials to a phishing site, or holding a door to allow them in the building, a properly trained employee can still act on their suspicions and correctly respond to the threat. An employee that reports any misgivings about an event can help a company respond in minutes or hours, before any damage has happened. 

Securityisfun: Good point. If an employee realised that he/she had been phished and immediately took action to report the incident, immediate countermeasure could be taken to minimize the damage. Employer should praise such employee for reporting the incident instead of blaming or punishing him/her.  

Ain't security fun? ;)

Acknowledgement - http://www.flickr.com/photos/bsabarnowl/7045688417/sizes/m/

No comments:

Post a Comment