Enforcing user awareness with IT security awareness training, policy

Column

Enforcing user awareness with IT security awareness training, policy

Even the best trained user will have lapses of attention and make mistakes. Well trained but disgruntled employees with the right credentials may cause huge damage unless you have a way of stopping them.

So forget users, they'll always let you down, and focus on your processes, technology and policy.

With a well-formed

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

security awareness policy and the technology to enforce it, you can stop stupid, tired or evil users from causing you damage.

Someone tries to copy the customer file on to an iPod? You stop them and send an alert to the boss. Someone tries to open an email attachment from an unknown source? You either stop them, or get someone else to OK it before you allow it. Someone starts sending attachments to their Skype buddies? Just block them. All these rules can be enforced in technology very simply.

Systems that rely on users behaving well are like those poorly-maintained houses where you have to jiggle the lock on the door to make it work, and remember not to lean too hard on the shelf in case it collapses. Just as someone will eventually lean on that shelf and break it, a system user will open a dodgy email attachment or copy confidential files on to a laptop or USB stick.

So why don't we lock down systems properly already?

Well, to have a security awareness policy you have to think about what's allowed and prohibited. To do it properly, that means people in the business sitting down with the IT security team and going through their processes. And that's boring.

So how about this? Even if you can't work up the energy to do a full-blown, detailed and granular security awareness policy to cover every eventuality, you can still set down a few general do's and don'ts.

For instance, some of the largest security breaches in recent years (Choicepoint in the U.S., HM Revenues & Customs in the U.K.) have resulted from backup tapes or disks going astray in the mail. So why not start by ensuring that any file transfers occur over a secure communications link? In any case, why would any organisation copy valuable data on to a tape and hand it over to a bloke with a van? Probably because that's the way they've always done it – which is one good reason to conduct regular reviews of procedures.

Data leakage prevention is also top of everyone's list at the moment, but do you really want to protect (or encrypt) every piece of data? Of course not.

If full-scale data classification fills you with dread or boredom, then just come up with half a dozen types of data that you really want to protect at all cost – customer details, bank account details, credit card numbers come to mind – and focus your efforts on them alone. And make sure the HR files are properly protected too – they are a potential source of data privacy problems.

By all means, do IT security awareness training too. It's cheap and it helps to create a secure ethos. But for heaven's sake don't rely on it to stop breaches happening.