In Depth

Employee Security Education: Pillars of Your Community

To err is human. But can you really forgive the security disasters a careless employee might bring to your company? Here's how to teach users that they're your company's best defense against information security breaches.

By Meg Mitchell Moore

Page 4

When Apgar learned that users in his organization had broken two of the cardinal rules of health-care securitydon't fax screen prints from claims, and don't use the system to look up your own informationhe went to the appropriate department managers and helped them decide how to educate their staff. Pacificorp's Bresler follows the same advice. He and his security colleagues expect middle management to accept the bulk of responsibility for enforcing security policies. "In an organization of our size [8,000 users], we're not going to micromanage down to the end users," he adds.

Bresler says that managers should also be responsible for enforcing the rules related to wireless security. "Business managers want their users to be productive but don't consider the risks associated with that," he says. For one thing, Bresler says, it's rare for business managers to communicate to users the dangers of connecting a laptop holding sensitive data to a hotel LAN. "Wireless is convenient, cheap and handy," adds Morse. "Unfortunately people want the quick fix, and they take it out of the box and they go through the quick start guide. They don't turn on access passwords or the encryption." It's possible to make wireless devices much more secure, he says, but it involves some extra work on the part of the users.

Delegating accountability to your users is also key to a security policy's success. If "it will never happen here" takes first place as the CSO's least favorite sentiment, "a security breach won't really affect me" comes in a close second. "A lot of people don't understand the implications of what the information could do outside of their hands," says Luce. Once users comprehend the importance of the data they safeguard, they should know that failure to comply with security policies could mean a big fat black mark on their record. After all, most users are more interested in their personal interests than those of the company. If users know that their personal well-being is at risk, they will start to think about corporate security in a whole new light.

"Some companies have updated their packets, and there are whole sections saying, 'You will maintain proper passwords or you'll be fired, or liable, or both,'" says Razorpoint's Morse. Pacificorp's Bresler thinks a "three strikes and you're out" policy is ideal.

To that end, security experts say, it's critical to work closely with the human resources department. Forging a strong link can build valuable and necessary support, says Hughes, and will guarantee follow-through if breaches occur. "IT and HR must work in concert with the COO or GM to make sure people understand these policies and procedures," says Hughes of Data Security Auditors. "Have a luncheon or seminar or a new-employee orientation where the security policy is part of it. Have employees sign it, and make sure they know they're accountable. If they do something that costs the company money, that's grounds for termination."