Employee Security Education: Pillars of Your Community

A computer password is tacked up casually on the cubicle wall. A door out back is wedged open during a quick cigarette break. A laptop is left carelessly behind in a taxi ride to the airport. And suddenly it doesn't matter how good your company's security system is. It has just succumbed to human failure.

"I can have all the gadgets in the world," says Chris Apgar, data security and HIPAA compliance officer for Providence Health Plans, "but if people don't understand the basicslike don't send things over the Internet, and make sure your files are put awaywell, I can spend millions on security, and it won't do any good."

And so it goes with corporate security. People get busy. Or distracted. Or careless. Or downright malicious. In fact, if there's one thing about which people in the security field readily agree, it's that weaknesses in user practices pose a bigger threat to an organization's security than any vulnerabilities in technology do.

"The best technology can always be circumvented by an employee," says Gary Morse, president of security consultancy Razorpoint Security Technologies. "You can have the best security policy in the universe, but people just get busy."

Without a doubt, the employee is often the weakest link in the security chain. "People think, It's just data; it's not really important," says Thomas Luce, former CSO of Rochester Health Care Information (RHI) Group and now an independent security consultant. "They don't understand the damage they could do, especially in health-care and financial services companies."

And so a solid recipe for a truly effective security strategy needs to include two parts common senseand a certain amount of change management. "Security is not simply a piece of technology," says Apgar. "It's a culture and a process and a procedure and an indoctrination."

"An organization's technology is only as strong as the people behind it," adds Roger Hughes, president of Data Security Auditors, an independent auditor. "Systems and processes are built by employees." Which makes it imperative that you work to change the thinking in your organization from "Nothing bad will happen here" to "If I share my password, this can happen," or "If I leave an area unsecured, that can happen."

The biggest challenge facing the security industry is knowing how to transform an organization's users from its biggest vulnerability into the first line of defense. The bad news is that it's not going to be easy. The good news is that it's not going to be impossible. Here are three steps to get started.Step One: Develop a Written Security Policy Although it may seem like a painfully obvious omission, the truth is that many companies have no real security policy. And of the policies that do make it onto paper, many go the way of screenplays written by struggling writerspassed around a lot, occasionally asked after but never really read. "The omission of a formal security training scheme is the norm," says Michael Casper, information security officer at Wachovia Bank. "So simply having formal training materials and implementing them is paramount to the beginning of security education success."

An effective security policy must first of all be put in writing. And in doing so, it should clearly spell out every last detail of company practices, such as how information technology employees should identify themselves when contacting a remote user about a technology problem, what types of e-mail are appropriate and how often users should reset their passwords. In addition to emphasizing security inside the building, a security policy should also address the dangers that lurk outsideincluding the risks of using laptops on business trips or carrying data on PDAs.

"It all boils down to a company having a solid yet understandable data security policy and procedure program," says Data Security Auditors' Hughes. "You know, making sure everybody knows what's OK and what's not OK."

Just as important as creating a policy, says Razorpoint's Morse, is making sure that the policy is uniform across all company locations. An organization that lacks consistency in its policy is vulnerable to social engineering attacks, for example, where a hacker can gain access to data or passwords by calling an employee and pretending to be from another location within the company. "In a word, people have to verify," Morse says. "They have to be able to say, Who is that person, and how do I know?"

The tricky part lies in massaging a policy so that it protects valuable data while allowing users the flexibility they need to do their job. Providence Health Plans' Apgar tells of an incident at his company when, upon discovering that Providence shared some systems with another health-care company, Providence had to put controls in place. The problem was the systems had little capability to limit access, so Apgar needed to do it without cutting off his own users from information they needed. "Data security got in the way of itself," he says. "Instead of the security people saying, Maybe we should look at this and see if we can live with it, they said, Oh, the attorney said to do it, so we'll have to turn it off." After careful consideration and some heated discussions, Apgar's group made the decision to build new controls into the system at minimal cost, which ended up working to everyone's satisfaction. CSOs must first take the time to understand the business and users' needs before setting limits.

In addition, Hughes points out, it's critical to look at business partners outside your own firewall with whom you might be sharing information and address potential vulnerabilities in the security policy. "If you're in manufacturing and you're sharing proprietary information with the vendors helping you build, you might be secure, but how secure are your vendors?" he asks. A solid security policy covers all those bases. Step Two: Sell the Policy It's no secret that those who are well suited to create a security policy are not always the most adept at getting its message across. "Security professionals don't always make the best communicators," admits Stacy Bresler, senior information security principal at Pacificorp, a subsidiary of ScottishPower. When Bresler and his team implemented a new security awareness program for Pacificorp's users, a group from corporate communications helped prepare the presentation material that was handed out to employees during awareness training sessions. "Good experts have a way of understanding and spreading that understanding," he says. In addition, Pacificorp's security team hired professional actors to play out the message in a video. Every employee was required to either attend a security presentation or watch the video.

Security, except to a select few, is about as exciting as watching the grass grow...in the desert...during a heat wave. "I think you have to be a certain person to care about security," says Bresler.

Independent security consultant Luce agrees: "Security is a boring topic to most people. So you have to put stuff in to counter that and get people's attention." His suggestion: Make it fun. When he worked for RHI, he introduced an in-house security training plan with a kick-off party. On occasion, he would also run tests to see who could catch potential security breaches. Those who discovered them were rewarded with gift certificates for dinner or points toward a bonus vacation day.

At Providence Health Plans, Apgar strives to take a positive approach to get his users' attention focused on security procedures. "Instead of saying, You have all this stuff you need to do, we say, We do 80 percent of this already, and we just need to do it better." And, he insists, trust is a key ingredient to a secure organization. "If you trust people to be honest and professional, 90 percent will be," he says. "If you expect the opposite, that becomes a self-fulfilling prophecy."

Since security is not top of mind for the typical user, security executives must also emphasize the rules stated in the policy regularly. "It's an educational process, and it's repetitive," says Luce. This repetition becomes particularly important when the company's policies change. "Once everyone is trained, you have to have everyone sign off on [the policy] every year," says Hughes. "Give them an updated version, educate them on what the changes are, and have them sign something saying they agree to comply."

Any method will workas long as the education takes place. For example, a security officer at a large food manufacturer says his department publishes frequent security bulletins with reminders about keeping passwords safe and cleaning sensitive data off machines. The company then distributes hard copies to everyone because employees are more likely to read paper than they are to read e-mails, he says. At Providence Health Plans, Apgar varies his approach. "We do training periodically," he says. "We keep the lines open, combining a number of different approaches, from formal training to an informational stop in the hall. We're taking it a little bit at a time." At Pacificorp, Bresler and his team conduct walk-throughs at individual desktops, performing surprise audits and reminding users of the rules.Step Three: Enforce the PolicyWhile a company's security team is ultimately responsible for generating security policies, some of the onus for enforcing them should fall on department managers. In the health-care industry, for example, Apgar has learned that good security means performing a balancing act between giving people enough information to do their job and keeping privacy intact. One of the keys to that, he says, is keeping the lines of communication open with department heads so that if breaches occur, management can play a role in repairing them.

When Apgar learned that users in his organization had broken two of the cardinal rules of health-care securitydon't fax screen prints from claims, and don't use the system to look up your own informationhe went to the appropriate department managers and helped them decide how to educate their staff. Pacificorp's Bresler follows the same advice. He and his security colleagues expect middle management to accept the bulk of responsibility for enforcing security policies. "In an organization of our size [8,000 users], we're not going to micromanage down to the end users," he adds.

Bresler says that managers should also be responsible for enforcing the rules related to wireless security. "Business managers want their users to be productive but don't consider the risks associated with that," he says. For one thing, Bresler says, it's rare for business managers to communicate to users the dangers of connecting a laptop holding sensitive data to a hotel LAN. "Wireless is convenient, cheap and handy," adds Morse. "Unfortunately people want the quick fix, and they take it out of the box and they go through the quick start guide. They don't turn on access passwords or the encryption." It's possible to make wireless devices much more secure, he says, but it involves some extra work on the part of the users.

Delegating accountability to your users is also key to a security policy's success. If "it will never happen here" takes first place as the CSO's least favorite sentiment, "a security breach won't really affect me" comes in a close second. "A lot of people don't understand the implications of what the information could do outside of their hands," says Luce. Once users comprehend the importance of the data they safeguard, they should know that failure to comply with security policies could mean a big fat black mark on their record. After all, most users are more interested in their personal interests than those of the company. If users know that their personal well-being is at risk, they will start to think about corporate security in a whole new light.

"Some companies have updated their packets, and there are whole sections saying, 'You will maintain proper passwords or you'll be fired, or liable, or both,'" says Razorpoint's Morse. Pacificorp's Bresler thinks a "three strikes and you're out" policy is ideal.

To that end, security experts say, it's critical to work closely with the human resources department. Forging a strong link can build valuable and necessary support, says Hughes, and will guarantee follow-through if breaches occur. "IT and HR must work in concert with the COO or GM to make sure people understand these policies and procedures," says Hughes of Data Security Auditors. "Have a luncheon or seminar or a new-employee orientation where the security policy is part of it. Have employees sign it, and make sure they know they're accountable. If they do something that costs the company money, that's grounds for termination."

1 2 Page 1
Page 1 of 2
What is security's role in digital transformation?