User training is an essential part of any security endeavor. Not every worker in an organization is automatically an IT or technology expert, nor should you expect them to be. User training and security awareness aim at providing all users with basic security knowledge, as well as job-specific security information.
To hold users accountable for their actions, first clearly define the network security policy boundaries and limitations. Having a set of rules and restrictions without informing personnel of its existence will not enforce policy and can lead to employee grievances and dissatisfaction. Training and awareness are necessary to educate users on their responsibilities and the consequences for violating organizational policy.
Software security expert Gary McGraw says:
For many years I have struggled with how to teach people . . . security design. The only technique that really works is apprenticeship. Short of that, a deep understanding of security design principles can help.
Without adequate security education for users, maintaining a secure environment is difficult, if not impossible. Technology cannot solve or remedy all security concerns, including the human factor. However, many organizations fail to support end-user training adequately.
This results in users not understanding the importance, need, and benefits of security. Additionally, it will result in an increase in violations, most of which are benign and accidental, but incidents that you will nonetheless need to investigate and resolve.
A few common end-user security mistakes or problems caused by a lack of security training include:
- Opening email attachments from unknown sources or from a known source with an unexpected or unusual attachment
- Preventing updates and patches from installing, even when approved and recommended by the security staff
- Installing unapproved software on work computers, including games, screensavers, utilities, instant messaging clients, and browser plug-ins
- Installing software on work computers that you have not verified as safe and free from malicious code
- Failing to make backups of work data on work computers if stored locally
- Using a modem or wireless connection from a desktop or notebook computer while still connected to the company LAN
- Using a password storage/tracking utility that does not encrypt its database
- Walking away from computers while still logged in
- Connecting unknown and unapproved devices to a work computer
- Using portable media and storage devices from an external source on a work computer
- Installing remote control or remote access software on work computers without obtaining approval
- Using the same password on multiple systems
- Leaving portable devices in locations where they could be easily stolen, such as in a car’s backseat
These are just some examples of common security problems caused by untrained users. You can avoid or at least minimize most of these issues with reasonable user security education.
It is also common for IT staff to make security mistakes, even though they are much more knowledgeable about technology. Someone who is a “techie” or might be considered a computer geek does not necessarily possess security intelligence.
Some mistakes made by technology experts (who really should know better) include:
- Using the same password on multiple systems
- Failing to change the default password on a device
- Allowing new systems to go online before each is properly hardened and/or tested
- Failing to keep current with available patches and upgrades, especially those related to security
- Using remote system and device management mechanisms that are convenient but not secure
- Discussing passwords over the phone, including changing passwords based on over- the-phone requests
- Failing to properly check identity, authority, and permission before giving out information or access to resources
- Failing to implement a proper backup solution
- Not verifying and testing that backups are working properly
- Assuming something is secured or properly configured without specifically checking and verifying
- Allowing unnecessary and potentially insecure applications, services, and protocols to remain on a system
- Using security and network devices without changing default settings, such as firewalls, proxies, routers, and so on.
- Failing to understand all of the security configuration options on a new software or hardware product
- Putting new software or hardware into production before thoroughly testing and gaining approval
- Allowing anti-malware defenses to become out of date
- Allowing sensitive information to be communicated without an encrypted channel
Even a knowledgeable technical professional can learn how to be more secure through proper training and awareness education. Every single person throughout an organization has security responsibilities. These need to be defined, explained, and taught.
Users will improve their behaviors when they understand what the risks are, what is at stake, and how their behavior will affect them if they fail to support security.
The goal of security-related training is user behavior modification. Users need to take steps to change their regular activities from those that place people and property in the workplace at risk to those that avoid risk. Risk is easy for most people to understand, but they need to be made aware of risk to trigger a change in their actions.
Good user training will cause an improvement in user compliance with the standards, policies, procedures, and guidelines of your organization.
Often, the beginning of security training is awareness. Awareness is introductory, foundational, and ubiquitous security information that applies to all employees. Awareness aims at establishing a common baseline of security understanding for the entire organization.
The principal means of awareness training is in a classroom setting. It should, however, include a wide variety of communications, including online videos, interactive websites, posters, email reminders, regular memos or newsletters, wall banners, coffee mugs, sticky notes, manager review meetings, loudspeaker announcements, screensavers, mouse pads, and even voice-mail messages.
The point is to inform users about basic security essentials, and then reinforce those basics while they are at work. Remember to keep the message fresh by changing the visuals in posters and screensavers so employees do not disregard the message; when it has been viewed many times, it is ignored.
Awareness is important for all personnel, in all job positions, at every level of access, from the top to the bottom of an organization. Everyone should understand basic security issues. These often focus on general responsibilities, liability, seeking to avoid waste and fraud, reduction of unauthorized activities, and watching for abnormal or suspicious events.
It is important for employees to observe that security is important to the organization. This means that even top executives must be held accountable to the same basic principles enforced throughout the general employee population. If employees see evidence of compromise or compliance avoidance by senior management, then they get the impression that the rules are not important enough for anyone to follow. You do not want employees to be frustrated and confused by a “Do as I say, not as I do” management model.
Every organization should have a written security policy, but that is not enough. In order to ensure that an individual knows the policy, the individual should be made to read the policy and sign a statement that he or she has read the policy and will abide by the it and any subsequent updates.
These requirements apply not just to salaried and hourly employees, but to anyone given electronic or physical access to the premises of the organization and to the assets of the organization in transit when the assets are transported outside of the physical facility.
This could include contractors, suppliers, and others, and it requires constant monitoring. It could even require a test or security certification, background check, or other means of determining ongoing compliance.
One means of encouraging users to comply with policies is to ensure that they are aware of the consequences of noncompliance. No one given permission to access assets of the organization is exempt from the security policy.
After awareness comes training. Training focuses on security issues and topics more closely related to specific job tasks. Training consists, therefore, of job-specific security information. Security training of this type assists users in accomplishing their individual work tasks while staying within the boundaries of the security infrastructure.
Most organizations offer in-house awareness and training. This is common because such training directly reduces incidents, as well as the associated costs of handling and responding to internal accidental and ignorance-based breaches.
Beyond training is security education. This form of learning has a broader scope than a job description or the organization as a whole. The purpose of security education is to obtain extensive knowledge about security and related subjects, even if they do not directly apply to current work responsibilities or tasks. Education is for the advancement of the individual, perhaps to improve his or her career outlook.
Education is usually obtained outside an organization. A company might perceive education as either a threat to employee retention or a benefit to keep employees happy. Most organizations want to improve the skills of their personnel. Either way, security education improves the knowledge and skill of the individual.
Security awareness, training, and education are beneficial for any security endeavor. Including and funding it in your organization’s overall security solution will improve your odds of success. For organizations in compliance-based industries, it is an essential element to maintaining annual compliance.