In Depth

Employee Security Education: Pillars of Your Community

To err is human. But can you really forgive the security disasters a careless employee might bring to your company? Here's how to teach users that they're your company's best defense against information security breaches.

By Meg Mitchell Moore

Page 3

Security, except to a select few, is about as exciting as watching the grass grow...in the desert...during a heat wave. "I think you have to be a certain person to care about security," says Bresler.

Independent security consultant Luce agrees: "Security is a boring topic to most people. So you have to put stuff in to counter that and get people's attention." His suggestion: Make it fun. When he worked for RHI, he introduced an in-house security training plan with a kick-off party. On occasion, he would also run tests to see who could catch potential security breaches. Those who discovered them were rewarded with gift certificates for dinner or points toward a bonus vacation day.

At Providence Health Plans, Apgar strives to take a positive approach to get his users' attention focused on security procedures. "Instead of saying, You have all this stuff you need to do, we say, We do 80 percent of this already, and we just need to do it better." And, he insists, trust is a key ingredient to a secure organization. "If you trust people to be honest and professional, 90 percent will be," he says. "If you expect the opposite, that becomes a self-fulfilling prophecy."

Since security is not top of mind for the typical user, security executives must also emphasize the rules stated in the policy regularly. "It's an educational process, and it's repetitive," says Luce. This repetition becomes particularly important when the company's policies change. "Once everyone is trained, you have to have everyone sign off on [the policy] every year," says Hughes. "Give them an updated version, educate them on what the changes are, and have them sign something saying they agree to comply."

Any method will workas long as the education takes place. For example, a security officer at a large food manufacturer says his department publishes frequent security bulletins with reminders about keeping passwords safe and cleaning sensitive data off machines. The company then distributes hard copies to everyone because employees are more likely to read paper than they are to read e-mails, he says. At Providence Health Plans, Apgar varies his approach. "We do training periodically," he says. "We keep the lines open, combining a number of different approaches, from formal training to an informational stop in the hall. We're taking it a little bit at a time." At Pacificorp, Bresler and his team conduct walk-throughs at individual desktops, performing surprise audits and reminding users of the rules.Step Three: Enforce the PolicyWhile a company's security team is ultimately responsible for generating security policies, some of the onus for enforcing them should fall on department managers. In the health-care industry, for example, Apgar has learned that good security means performing a balancing act between giving people enough information to do their job and keeping privacy intact. One of the keys to that, he says, is keeping the lines of communication open with department heads so that if breaches occur, management can play a role in repairing them.