Increasing information security awareness in the enterprise

Information security professionals are well aware that fostering security awareness in their organisations is like battling against the elements; it has to be done, but it often seems futile. Yet with one of the world's highest-profile companies recently falling victim to a damaging cyberattack, enterprises must pursue every avenue available to augment information security.

In this tip, we'll discuss how organisations can increase security awareness to avoid falling prey to damaging attacks that often reveal sensitive data.

The recent bad weather has caused a huge increase in the number of road accidents as drivers have struggled to cope with icy conditions. Motoring organisations and other concerned agencies issued advice to motorists on how to adapt their driving for the conditions along with additional precautions they should take. Thankfully nobody...

RELATED CONTENT Security Policies and User Awareness Cloud-based services require stalwart business continuity plans Preventing phishing attacks: Enterprise best practices CISOs take measured steps to reduce social media risks How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Cut down on calls to help desk with cybersecurity awareness training Layoffs prompt insider threat fears, cybersecurity survey finds How to write an information security policy Essential guide: Pandemic planning for H1N1 Risk management strategies Improving software with the Building Security in Maturity Model (BSIMM) Preventing password fatigue with single sign-on (SSO) authentication How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security Benefits of ISO 27001 and ISO 27002 certification for your enterprise Cut down on calls to help desk with cybersecurity awareness training TrueCrypt: How to get started with open source disk encryption Risk-based multifactor authentication implementation best practices

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

issued a statement saying that all drivers should change their car to brand X, which has a reputation for better handling. Some cars surely do handle better than others in icy conditions, but the reason there was no such advice is that everyone knows it's the driver, not the car, that's at the root of the problem.

So, what does the weather have to do with security awareness? Well, the recent warnings given to Web users by the German Federal Office for Information Security and Certa, the French government agency that oversees cyber threats, stated that users should find an alternative browser to Internet Explorer following the recent attacks on Google. These attacks were limited and highly targeted, so saying everyone should change browsers is like saying the whole country should change to 4x4s because there's snow in the mountains.

Every browser has security issues, so switching from one to another may mitigate one set of risks, but exposes users to another. This may sound like a controversial viewpoint, but to simply claim IE is inherently less secure than other browsers doesn't reflect the real situation. Yes, a vulnerability in Internet Explorer was one of the vectors used in attacks against Google and other companies, but it required "security-unaware" users to allow the vulnerability to be exploited.

This lack of information security awareness regarding the Internet is the real problem, and the most realistic, long-term solution is to change how people use it, not what they use to access it. Using the Internet is like using a car; the degree of caution a driver exercises depends on the environment in which it's being used. If you're working at an organisation that handles sensitive information, then you need to be more aware of the risks of using the Internet and how to mitigate those risks.

Firstly, the only successful attacks against this exploit have involved IE6. A simple (and free) upgrade to IE8 can help companies avoid many phishing and malware attacks. A report by NSS Labs ranked IE8 above other browsers for providing security against phishing and malware.

Secondly, for this type of attack to work, a user has to click a link in an email and visit a malicious website, whereupon a Trojan horse infects the user's PC, allowing the hacker to take control of it. It's vital to ensure users do not to click on links or open attachments in unsolicited emails, no matter how intriguing they may seem.

To be fair though, these attacks used highly sophisticated social engineering techniques, which were precisely targeted and had a specific agenda. They illustrate just why employee information security awareness techniques should be reassessed and brought up to date on an ongoing basis. That entails understanding what methods are being used in the latest attacks and ensuring users are made aware of them. If users know how to recognise and handle the latest phishing and other social engineering attacks, then these types of attack are far less likely to succeed.

The U.K. government's Centre for the Protection of National Infrastructure (CPNI) has not issued any browser warnings, but said it is "monitoring the situation" and will "publish further advice if the risks change."

If it does feel the need to issue advice, I hope it focuses on users' information security awareness and not on their brand of browser. Web browser vulnerabilities and cyberattacks are a fact of Internet life, so more has to be done to ensure people know how to use the Internet safely and not just avoid the latest attack.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.