Increasing information security awareness in the enterprise

Information security professionals are well aware that fostering security awareness in their organisations is like battling against the elements; it has to be done, but it often seems futile. Yet with one of the world's highest-profile companies recently falling victim to a damaging cyberattack, enterprises must pursue every avenue available to augment information security.

In this tip, we'll discuss how organisations can increase security awareness to avoid falling prey to damaging attacks that often reveal sensitive data.

The recent bad weather has caused a huge increase in the number of road accidents as drivers have struggled to cope with icy conditions. Motoring organisations and other concerned agencies issued advice to motorists on how to adapt their driving for the conditions along with additional precautions they should take. Thankfully nobody issued a statement saying that all drivers should change their car to brand X, which has a reputation for better handling. Some cars surely do handle better than others in icy conditions, but the reason there was no such advice is that everyone knows it's the driver, not the car, that's at the root of the problem.

More on information security awareness Cut down on calls to help desk with cybersecurity awareness training Creating a security awareness culture End user Compliance: Creating a security awareness training program

So, what does the weather have to do with security awareness? Well, the recent warnings given to Web users by the German Federal Office for Information Security and Certa, the French government agency that oversees cyber threats, stated that users should find an alternative browser to Internet Explorer following the recent attacks on Google. These attacks were limited and highly targeted, so saying everyone should change browsers is like saying the whole country should change to 4x4s because there's snow in the mountains.

Every browser has security issues, so switching from one to another may mitigate one set of risks, but exposes users to another. This may sound like a controversial viewpoint, but to simply claim IE is inherently less secure than other browsers doesn't reflect the real situation. Yes, a vulnerability in Internet Explorer was one of the vectors used in attacks against Google and other companies, but it required "security-unaware" users to allow the vulnerability to be exploited.

This lack of information security awareness regarding the Internet is the real problem, and the most realistic, long-term solution is to change how people use it, not what they use to access it. Using the Internet is like using a car; the degree of caution a driver exercises depends on the environment in which it's being used. If you're working at an organisation that handles sensitive information, then you need to be more aware of the risks of using the Internet and how to mitigate those risks.

Firstly, the only successful attacks against this exploit have involved IE6. A simple (and free) upgrade to IE8 can help companies avoid many phishing and malware attacks. A report by NSS Labs ranked IE8 above other browsers for providing security against phishing and malware.

Secondly, for this type of attack to work, a user has to click a link in an email and visit a malicious website, whereupon a Trojan horse infects the user's PC, allowing the hacker to take control of it. It's vital to ensure users do not to click on links or open attachments in unsolicited emails, no matter how intriguing they may seem.

To be fair though, these attacks used highly sophisticated social engineering techniques, which were precisely targeted and had a specific agenda. They illustrate just why employee information security awareness techniques should be reassessed and brought up to date on an ongoing basis. That entails understanding what methods are being used in the latest attacks and ensuring users are made aware of them. If users know how to recognise and handle the latest phishing and other social engineering attacks, then these types of attack are far less likely to succeed.

The U.K. government's Centre for the Protection of National Infrastructure (CPNI) has not issued any browser warnings, but said it is "monitoring the situation" and will "publish further advice if the risks change."

If it does feel the need to issue advice, I hope it focuses on users' information security awareness and not on their brand of browser. Web browser vulnerabilities and cyberattacks are a fact of Internet life, so more has to be done to ensure people know how to use the Internet safely and not just avoid the latest attack.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Security Policies and User Awareness Company files at risk of employee data theft Employee security training for Data Protection Act compliance Spy recording devices can be thwarted by portable USB security policy Background employment screening decreases insider threats, study says Risk management in information technology Information security awareness lacking in laptop users, according to study Kent company offers 'low-tech' hard disk destruction product Survey: Compliance efforts drive security, but may not produce results Using resource allocation management to prevent DoS and other attacks Cloud-based services require stalwart business continuity plans Risk management strategies Hard-disk erasure: Using HDDerase and Secure Erase hard-drive eraser Using resource allocation management to prevent DoS and other attacks How risk management standards can work for enterprise IT Are you too small for an email retention and archiving policy? Enterprise data management: Prevent data loss and insider threats Improving software with the Building Security in Maturity Model (BSIMM) How to develop a culture of security in the enterprise Creating and enforcing a clear-desk policy Physical security threats: Don't gift your data away Using unique device identification for bank website security RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.