In Depth

Employee Security Education: Pillars of Your Community

To err is human. But can you really forgive the security disasters a careless employee might bring to your company? Here's how to teach users that they're your company's best defense against information security breaches.

By Meg Mitchell Moore

January 09, 2003 — CSO — A computer password is tacked up casually on the cubicle wall. A door out back is wedged open during a quick cigarette break. A laptop is left carelessly behind in a taxi ride to the airport. And suddenly it doesn't matter how good your company's security system is. It has just succumbed to human failure.

"I can have all the gadgets in the world," says Chris Apgar, data security and HIPAA compliance officer for Providence Health Plans, "but if people don't understand the basicslike don't send things over the Internet, and make sure your files are put awaywell, I can spend millions on security, and it won't do any good."

And so it goes with corporate security. People get busy. Or distracted. Or careless. Or downright malicious. In fact, if there's one thing about which people in the security field readily agree, it's that weaknesses in user practices pose a bigger threat to an organization's security than any vulnerabilities in technology do.

"The best technology can always be circumvented by an employee," says Gary Morse, president of security consultancy Razorpoint Security Technologies. "You can have the best security policy in the universe, but people just get busy."

Without a doubt, the employee is often the weakest link in the security chain. "People think, It's just data; it's not really important," says Thomas Luce, former CSO of Rochester Health Care Information (RHI) Group and now an independent security consultant. "They don't understand the damage they could do, especially in health-care and financial services companies."

And so a solid recipe for a truly effective security strategy needs to include two parts common senseand a certain amount of change management. "Security is not simply a piece of technology," says Apgar. "It's a culture and a process and a procedure and an indoctrination."

"An organization's technology is only as strong as the people behind it," adds Roger Hughes, president of Data Security Auditors, an independent auditor. "Systems and processes are built by employees." Which makes it imperative that you work to change the thinking in your organization from "Nothing bad will happen here" to "If I share my password, this can happen," or "If I leave an area unsecured, that can happen."

The biggest challenge facing the security industry is knowing how to transform an organization's users from its biggest vulnerability into the first line of defense. The bad news is that it's not going to be easy. The good news is that it's not going to be impossible. Here are three steps to get started.Step One: Develop a Written Security Policy Although it may seem like a painfully obvious omission, the truth is that many companies have no real security policy. And of the policies that do make it onto paper, many go the way of screenplays written by struggling writerspassed around a lot, occasionally asked after but never really read. "The omission of a formal security training scheme is the norm," says Michael Casper, information security officer at Wachovia Bank. "So simply having formal training materials and implementing them is paramount to the beginning of security education success."