Security awareness: Helping employees really 'get' company policy

Research finds while most employees believe they understand their company's security policies, a large number have never received any formal policy education or training. How can an organization really ensure people understand risk?

Employee awareness of their companies' security policies is high—if you ask the employees. In a survey of 2,000 office workers, software security company Clearswift found almost three quarters, 74 percent, felt 'confident' that they understand their employers' Internet security policies. That is, policy designed to safeguard data and IT security, as well as maintain productivity.

But the confidence is misplaced, Clearswift suggests in their summary of the findings, because a third of those surveyed have not received any training on IT security since joining their firm. And more than two thirds of those who have not had recent training joined their organization more than five years ago—a 'technological lifetime,' notes Clearswift.

"Pretty much every employee can remember a vague discussion about policy at some time in their career—maybe when they joined their current employer or it may be from their previous job," said Andrew Wyatt, Clearswift's COO. "When security is kept in the shadows and not discussed openly, and only referred to when things go wrong, it is all too easy for office 'folk-law' to become perceived as official policy very quickly. If employees are not aware of when they have broken policies—in some cases because the policy is not even enforced—it can lead to a false sense of security or a belief that what they are doing is actually in line with the corporate policy."

Also read Security awareness programs: Now hear this! for more effective awareness strategies

The research raises a question that is frequently discussed, but very rarely measured, among organizations: What kind of awareness training is effective? Is it regular and incremental? Is it most effective when done through courses, formal sessions or informal discussions? And how does an organization gauge its effectiveness?

At health-services provider Cigna Corp., employee awareness training takes place regularly, according to the company's CISO, Craig Shumard. "It's not just a one and done kind of thing," he says.

As an example of how Cigna deals with security and privacy policy, Shumard points to the fairly recent phenomenon of social media use among employees. In the last two years, Cigna has had to add to and revise existing policies in order to respond to the adoption of social media sites for both Cigna's business use, as well as to allow employees to access them for personal reasons while at work.

"The policy that we have around social media is actually in the overall corporate policy around communications and fair disclosure," said Shumard. "So, when we look at policies around external media we see these are issues we have emphasized all along. Before social media, we made it clear when it came to blogs that folks are not supposed to speaking on behalf of Cigna. It is the same policy now with regard to social media sites. Employees can use these tools on a strictly personal basis—and they should not disclose company information that would not be appropriate given manner of what we do."

In other words, Cigna didn't reinvent the wheel when dealing with social media policy. They didn't need to. But while rules to address the use of social media essentially took much of what already existed in Cigna policy and gave it new shape, Shumard said employees still need a refresh on the specifics, which they get through various types of education sessions. The proof of its effectiveness is lack of security incidents, said Shumard. He said Cigna has so far not needed to terminate an employee based on improper use of social media that violated policy.

"We spend a lot of time on training and awareness to ensure that people know what good behavior is, what proper behavior is on social media. For example, we do monthly protection pointers. In addition to that we have targeted training for specific groups. We also have specific other activities folks may engage in. We have some classroom training, some online training. We have groups we may pull together for a lunch and learn. There are a lot of different facets to the training and awareness standpoint and I think anyone who is just putting out a monthly reminder on something and not having a more complete approach is probably missing something."

Also read 4 tips for writing a great social media policy

Michael Santarcangelo, an expert on security awareness who speaks on the topic, takes a different approach when advising clients.

"I argue that we have to first change the structure of dialogue in the enterprise and then practice dialogue, which includes listening as well as talking. In my experience, most organizations monologue under the name of dialogue."

Through his practice and consultancy, 'The Security Catalyst,' Santarcangelo conducts ongoing research on what he calls The Human Paradox Gap, which he defines as the distance between action/decision and the impact of the consequences. When people are disconnected from the consequences of their actions, they do not take responsibility and are not held accountable, he said. Effective awareness programs shift that thinking and inspire a change in behavior. And it starts with having the right kind of conversations with employees.

"More technology and more training misses the point. The underlying challenge is the disconnection. Instead of focusing on a dialogue with employees about 'security,' 'risk' and the like, I'd drop the word security and focus on risk, responsibility and consequences/accountability. If we ask 10 people to define security, we'll get 15 answers—as a word, it's too confusing to get consistent or accurate results. Generally 'training' on the 'policies' tends to be more disruptive and instructive. This has the perverse effect of disconnecting people further from the policies than bridging the gap: people are interrupted in the name of 'security' and focus on getting through it rather than understanding."

Copyright © 2010 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)