A major leak in enterprise security is often caused by something that information security teams cannot physically control: the security of the users themselves. Infosec pros can patch systems, keep antivirus up to date, and surround the critical infrastructure with firewalls until they are blue in the face, but enterprises are still only as safe as the level of their users' security awareness.
As long as users have access to outside email, social networking sites and the like, organizations will continue to have security issues.
Until a couple of years ago, users at my organization had no fear of email. If a subject line looked remotely interesting, they would open it. If the email included a link or attachment in addition to a catchy subject line, they would follow it. It's hard to blame them, as some malicious emails look very convincing to the untrained eye. But for years, clicking without conscience caused my help desk a lot of grief.
I have tackled this user problem in my organization by working to make my users 'cyber-aware'. I do this by publishing a weekly cybersecurity tip. These tips, which are distributed via email to my entire organization, combine a bit of humor with a hefty dose of cyber wisdom. I use current trends as well as threats that have been around for a long time to educate my users, sometimes including links to related articles on the Web. My users may not be any smarter than anyone else concerning how a computer operates, but they know what not to click on in an email -- and my antivirus logs prove it is working.
In fact, my current virus count is down more than 75% since I started the program and I believe I currently have some of the most cyber-aware users on the planet. This not only aids my help desk with less work, (and saved man hours which equate to saved dollars) but many of my tips also get forwarded to users' family and friends. This spreads the wealth exponentially, with the results being a more secure computing environment at users' homes.
Here's a copy of a typical cyber tip:
Good Morning and welcome to summer! (Well, not astronomically, but the kids are out of school, so close enough.) Today I'm going to expand on one of my earlier tips with a bit of information that one of my fellow geeks forwarded to me. This is about posting personal information online, even on something as innocent as an 'out of office' notification in your email.
So here's the scoop: I'm assuming most of you will be taking a vacation this summer. Prior to you leaving for vacation, are you going to change your voice mail message to say? "Hi, we're not home right now, we will be away until July 6th. Please smash the sliding glass door, grab that big screen TV and any jewelry you might want. Thanks and leave a message at the beep."
Silly maybe, but if you wouldn't post this kind of information on your answering machine, why would you want to be that detailed on your MySpace page or "out-of-office" message. How about your kid's MySpace page? Face it: Some of our kids have friends that may be questionable at best. Any of your kids' friends reading their MySpace/Facebook page might also enjoy knowing that your family won't be home for a couple weeks. They might want to drop by to make sure your house is secure.
As always, this is just a little snippet to make you smile, but also to get you thinking. As Robert Wieder said, "Once you have them by their funny bone, their hearts and minds will follow."
... so follow the link below for more information:
http://news.yahoo.com/s/ap_travel/20090608/ap_tr_ge/travel_cybertrips_vacation_messages
Thanks for listening.
Writing these notes is easy once you get the hang of it. Start by scanning the Web for topics based on the latest threat, then throw in a little humor to keep readers interested. The emails don't just have to be about viruses either. Take a break from the doom and gloom and occasionally have holiday-themed tips. For example, during the Christmas holiday season, I always send out a tip about safe online shopping. Send these tips to your organization via email, or maybe post them on your corporate intranet. After doing this for a couple of years, I've found that my users have begun to provide me with ideas by sending in questions or examples of malicious emails they've received.
The goal is to help users identify malicious messages and take pride in their own ability to do so. Once users reach that point, help desk will thank you. So go ahead, secure your infrastructure. Stay up to date with patching/antivirus on your client devices and servers, and keep watching those firewall/IDS logs, but if you want to make your job much easier, secure your users by working to increase their security awareness.
About the author:
Ed Gallagher is the security administrator for the Orange County Sheriff's Office in Orange County, FL.
