Employee Security Education: Pillars of Your Community

A computer password is tacked up casually on the cubicle wall. A door out back is wedged open during a quick cigarette break. A laptop is left carelessly behind in a taxi ride to the airport. And suddenly it doesn't matter how good your company's security system is. It has just succumbed to human failure.

"I can have all the gadgets in the world," says Chris Apgar, data security and HIPAA compliance officer for Providence Health Plans, "but if people don't understand the basicslike don't send things over the Internet, and make sure your files are put awaywell, I can spend millions on security, and it won't do any good."

And so it goes with corporate security. People get busy. Or distracted. Or careless. Or downright malicious. In fact, if there's one thing about which people in the security field readily agree, it's that weaknesses in user practices pose a bigger threat to an organization's security than any vulnerabilities in technology do.

"The best technology can always be circumvented by an employee," says Gary Morse, president of security consultancy Razorpoint Security Technologies. "You can have the best security policy in the universe, but people just get busy."

Without a doubt, the employee is often the weakest link in the security chain. "People think, It's just data; it's not really important," says Thomas Luce, former CSO of Rochester Health Care Information (RHI) Group and now an independent security consultant. "They don't understand the damage they could do, especially in health-care and financial services companies."

And so a solid recipe for a truly effective security strategy needs to include two parts common senseand a certain amount of change management. "Security is not simply a piece of technology," says Apgar. "It's a culture and a process and a procedure and an indoctrination."

"An organization's technology is only as strong as the people behind it," adds Roger Hughes, president of Data Security Auditors, an independent auditor. "Systems and processes are built by employees." Which makes it imperative that you work to change the thinking in your organization from "Nothing bad will happen here" to "If I share my password, this can happen," or "If I leave an area unsecured, that can happen."

The biggest challenge facing the security industry is knowing how to transform an organization's users from its biggest vulnerability into the first line of defense. The bad news is that it's not going to be easy. The good news is that it's not going to be impossible. Here are three steps to get started.Step One: Develop a Written Security Policy Although it may seem like a painfully obvious omission, the truth is that many companies have no real security policy. And of the policies that do make it onto paper, many go the way of screenplays written by struggling writerspassed around a lot, occasionally asked after but never really read. "The omission of a formal security training scheme is the norm," says Michael Casper, information security officer at Wachovia Bank. "So simply having formal training materials and implementing them is paramount to the beginning of security education success."

An effective security policy must first of all be put in writing. And in doing so, it should clearly spell out every last detail of company practices, such as how information technology employees should identify themselves when contacting a remote user about a technology problem, what types of e-mail are appropriate and how often users should reset their passwords. In addition to emphasizing security inside the building, a security policy should also address the dangers that lurk outsideincluding the risks of using laptops on business trips or carrying data on PDAs.

"It all boils down to a company having a solid yet understandable data security policy and procedure program," says Data Security Auditors' Hughes. "You know, making sure everybody knows what's OK and what's not OK."

Just as important as creating a policy, says Razorpoint's Morse, is making sure that the policy is uniform across all company locations. An organization that lacks consistency in its policy is vulnerable to social engineering attacks, for example, where a hacker can gain access to data or passwords by calling an employee and pretending to be from another location within the company. "In a word, people have to verify," Morse says. "They have to be able to say, Who is that person, and how do I know?"

The tricky part lies in massaging a policy so that it protects valuable data while allowing users the flexibility they need to do their job. Providence Health Plans' Apgar tells of an incident at his company when, upon discovering that Providence shared some systems with another health-care company, Providence had to put controls in place. The problem was the systems had little capability to limit access, so Apgar needed to do it without cutting off his own users from information they needed. "Data security got in the way of itself," he says. "Instead of the security people saying, Maybe we should look at this and see if we can live with it, they said, Oh, the attorney said to do it, so we'll have to turn it off." After careful consideration and some heated discussions, Apgar's group made the decision to build new controls into the system at minimal cost, which ended up working to everyone's satisfaction. CSOs must first take the time to understand the business and users' needs before setting limits.

In addition, Hughes points out, it's critical to look at business partners outside your own firewall with whom you might be sharing information and address potential vulnerabilities in the security policy. "If you're in manufacturing and you're sharing proprietary information with the vendors helping you build, you might be secure, but how secure are your vendors?" he asks. A solid security policy covers all those bases. Step Two: Sell the Policy It's no secret that those who are well suited to create a security policy are not always the most adept at getting its message across. "Security professionals don't always make the best communicators," admits Stacy Bresler, senior information security principal at Pacificorp, a subsidiary of ScottishPower. When Bresler and his team implemented a new security awareness program for Pacificorp's users, a group from corporate communications helped prepare the presentation material that was handed out to employees during awareness training sessions. "Good experts have a way of understanding and spreading that understanding," he says. In addition, Pacificorp's security team hired professional actors to play out the message in a video. Every employee was required to either attend a security presentation or watch the video.

Security, except to a select few, is about as exciting as watching the grass grow...in the desert...during a heat wave. "I think you have to be a certain person to care about security," says Bresler.

Independent security consultant Luce agrees: "Security is a boring topic to most people. So you have to put stuff in to counter that and get people's attention." His suggestion: Make it fun. When he worked for RHI, he introduced an in-house security training plan with a kick-off party. On occasion, he would also run tests to see who could catch potential security breaches. Those who discovered them were rewarded with gift certificates for dinner or points toward a bonus vacation day.

At Providence Health Plans, Apgar strives to take a positive approach to get his users' attention focused on security procedures. "Instead of saying, You have all this stuff you need to do, we say, We do 80 percent of this already, and we just need to do it better." And, he insists, trust is a key ingredient to a secure organization. "If you trust people to be honest and professional, 90 percent will be," he says. "If you expect the opposite, that becomes a self-fulfilling prophecy."

Since security is not top of mind for the typical user, security executives must also emphasize the rules stated in the policy regularly. "It's an educational process, and it's repetitive," says Luce. This repetition becomes particularly important when the company's policies change. "Once everyone is trained, you have to have everyone sign off on [the policy] every year," says Hughes. "Give them an updated version, educate them on what the changes are, and have them sign something saying they agree to comply."

Any method will workas long as the education takes place. For example, a security officer at a large food manufacturer says his department publishes frequent security bulletins with reminders about keeping passwords safe and cleaning sensitive data off machines. The company then distributes hard copies to everyone because employees are more likely to read paper than they are to read e-mails, he says. At Providence Health Plans, Apgar varies his approach. "We do training periodically," he says. "We keep the lines open, combining a number of different approaches, from formal training to an informational stop in the hall. We're taking it a little bit at a time." At Pacificorp, Bresler and his team conduct walk-throughs at individual desktops, performing surprise audits and reminding users of the rules.Step Three: Enforce the PolicyWhile a company's security team is ultimately responsible for generating security policies, some of the onus for enforcing them should fall on department managers. In the health-care industry, for example, Apgar has learned that good security means performing a balancing act between giving people enough information to do their job and keeping privacy intact. One of the keys to that, he says, is keeping the lines of communication open with department heads so that if breaches occur, management can play a role in repairing them.

When Apgar learned that users in his organization had broken two of the cardinal rules of health-care securitydon't fax screen prints from claims, and don't use the system to look up your own informationhe went to the appropriate department managers and helped them decide how to educate their staff. Pacificorp's Bresler follows the same advice. He and his security colleagues expect middle management to accept the bulk of responsibility for enforcing security policies. "In an organization of our size [8,000 users], we're not going to micromanage down to the end users," he adds.

Bresler says that managers should also be responsible for enforcing the rules related to wireless security. "Business managers want their users to be productive but don't consider the risks associated with that," he says. For one thing, Bresler says, it's rare for business managers to communicate to users the dangers of connecting a laptop holding sensitive data to a hotel LAN. "Wireless is convenient, cheap and handy," adds Morse. "Unfortunately people want the quick fix, and they take it out of the box and they go through the quick start guide. They don't turn on access passwords or the encryption." It's possible to make wireless devices much more secure, he says, but it involves some extra work on the part of the users.

Delegating accountability to your users is also key to a security policy's success. If "it will never happen here" takes first place as the CSO's least favorite sentiment, "a security breach won't really affect me" comes in a close second. "A lot of people don't understand the implications of what the information could do outside of their hands," says Luce. Once users comprehend the importance of the data they safeguard, they should know that failure to comply with security policies could mean a big fat black mark on their record. After all, most users are more interested in their personal interests than those of the company. If users know that their personal well-being is at risk, they will start to think about corporate security in a whole new light.

"Some companies have updated their packets, and there are whole sections saying, 'You will maintain proper passwords or you'll be fired, or liable, or both,'" says Razorpoint's Morse. Pacificorp's Bresler thinks a "three strikes and you're out" policy is ideal.

To that end, security experts say, it's critical to work closely with the human resources department. Forging a strong link can build valuable and necessary support, says Hughes, and will guarantee follow-through if breaches occur. "IT and HR must work in concert with the COO or GM to make sure people understand these policies and procedures," says Hughes of Data Security Auditors. "Have a luncheon or seminar or a new-employee orientation where the security policy is part of it. Have employees sign it, and make sure they know they're accountable. If they do something that costs the company money, that's grounds for termination."

Just as important as preaching accountability is practicing it. Luce notes that even when companies write such accountability into their policies, a lot of users don't pay attention. Senior management, he says, is prone to letting offenses slide. He recalls performing security audits at organizations with supposedly zero-tolerance policies that looked the other way when security breaches happened by accident. That, he says, is asking for trouble. "Human nature says you'll get away with whatever the minimal amount of work is," says Luce. "If you don't put something in place to force users to use real passwords, then they won't."

Scare tactics are a controversial way to guarantee compliance. Luce is an admitted fan of using horror stories when he conducts audits. "I do quite often use scare tactics, usually with a newspaper article about a lawsuit. That does a really good job on presidents and CEOs," he says. Apgar of Providence Health Plans also uses such a strategy, but cautions against relying on it too often. "I use horror stories judiciously," he says. He worries that too many tales of security gone wrong could turn him into Chicken Little. But he says he's not averse to telling senior management stories that hit close to home, like breaches that have happened in their own industry.

Bresler adds that he prefers to sanitize the story of something that actually happened to Pacificorp and make it public. "These things do happen and have resulted in dismissals," he says. Users who hear "this could happen to you" stories are more likely to take security policies seriously.

In the end, technology can do a lot to protect precious corporate assets, but it can go only so far. The rest is up to the users. "You can have a really nice garage, but if there's no door on it, it's wide open for a car thief," says Hughes. The harder the CSO works to make users the responsible stewards of corporate data, the safer a company will ultimately be.

Copyright © 2003 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)