In Depth

Employee Security Education: Pillars of Your Community

To err is human. But can you really forgive the security disasters a careless employee might bring to your company? Here's how to teach users that they're your company's best defense against information security breaches.

By Meg Mitchell Moore

Page 2

An effective security policy must first of all be put in writing. And in doing so, it should clearly spell out every last detail of company practices, such as how information technology employees should identify themselves when contacting a remote user about a technology problem, what types of e-mail are appropriate and how often users should reset their passwords. In addition to emphasizing security inside the building, a security policy should also address the dangers that lurk outsideincluding the risks of using laptops on business trips or carrying data on PDAs.

"It all boils down to a company having a solid yet understandable data security policy and procedure program," says Data Security Auditors' Hughes. "You know, making sure everybody knows what's OK and what's not OK."

Just as important as creating a policy, says Razorpoint's Morse, is making sure that the policy is uniform across all company locations. An organization that lacks consistency in its policy is vulnerable to social engineering attacks, for example, where a hacker can gain access to data or passwords by calling an employee and pretending to be from another location within the company. "In a word, people have to verify," Morse says. "They have to be able to say, Who is that person, and how do I know?"

The tricky part lies in massaging a policy so that it protects valuable data while allowing users the flexibility they need to do their job. Providence Health Plans' Apgar tells of an incident at his company when, upon discovering that Providence shared some systems with another health-care company, Providence had to put controls in place. The problem was the systems had little capability to limit access, so Apgar needed to do it without cutting off his own users from information they needed. "Data security got in the way of itself," he says. "Instead of the security people saying, Maybe we should look at this and see if we can live with it, they said, Oh, the attorney said to do it, so we'll have to turn it off." After careful consideration and some heated discussions, Apgar's group made the decision to build new controls into the system at minimal cost, which ended up working to everyone's satisfaction. CSOs must first take the time to understand the business and users' needs before setting limits.

In addition, Hughes points out, it's critical to look at business partners outside your own firewall with whom you might be sharing information and address potential vulnerabilities in the security policy. "If you're in manufacturing and you're sharing proprietary information with the vendors helping you build, you might be secure, but how secure are your vendors?" he asks. A solid security policy covers all those bases. Step Two: Sell the Policy It's no secret that those who are well suited to create a security policy are not always the most adept at getting its message across. "Security professionals don't always make the best communicators," admits Stacy Bresler, senior information security principal at Pacificorp, a subsidiary of ScottishPower. When Bresler and his team implemented a new security awareness program for Pacificorp's users, a group from corporate communications helped prepare the presentation material that was handed out to employees during awareness training sessions. "Good experts have a way of understanding and spreading that understanding," he says. In addition, Pacificorp's security team hired professional actors to play out the message in a video. Every employee was required to either attend a security presentation or watch the video.