Employee awareness: The missing link

What does it mean when 90% of computer users can remember the name of the performer from the last Super Bowl half-time show, but only 60% know when they had last updated their computer security program? Security awareness is not where it should be.

The nonprofit National Cyber Security Alliance released a study with these results and also stated that more than a third of the PC users surveyed said they had a greater chance of winning the lottery or being struck by lightning than of being hit by malicious code.

Something isn't right.

In an Ernst & Young study, more than 70% of the1,233 organizations surveyed failed to list training and raising employee awareness of information security issues as a top initiative. Even though 93% of businesses have antivirus software in place, 72% of businesses received infected e-mail files during 2004, and roughly two-thirds of large businesses experienced virus infections or denial-of-service attacks last year. And still, less than half of Ernst & Young's respondents provide their employees with ongoing training in security.

Today's businesses are at severe security risk. Raising business concerns demand proactive intrusion-prevention systems. Central security measures such as firewalls, antivirus software and content filtering assist in protecting company data, but organizations must also realize the value that comes from raising security awareness among their employees. Individuals who have not been properly trained in dealing with Internet threats are responsible for some of the largest security breaches today. According to Meta Group research, 75% of organizations have found that lack of user awareness damages their security programs' effectiveness. Organizations across every industry must take the time to develop a security awareness program, which could turn out to be the missing link -- the most powerful link -- in their chain of defense.

With security intrusion on the rise, information protection is more crucial than ever. And while there is not one universal solution, passive resignation is not the answer either. As businesses become more dependent on technology and the Internet, computer security is becoming increasingly vital, not only to success but to survival as well.

The following guidelines and suggestions will help companies develop an effective employee security-awareness training program, thus fortifying and creating business environments that can fight against unwanted intrusions.

Evaluate current end-user awareness

The first step is to develop a security awareness task force, which may very well be the bridge between development and corporate introduction. A typical task force includes individuals from a variety of areas, including IT security, physical security, corporate training, HR, legal, marketing and internal communications.

The task force's first responsibility is to conduct a comprehensive security audit. From this audit, the team, management and organization will understand the current state of corporate security awareness. Such an audit will reveal existing security policies, the level of employee awareness and the security programs in place.

Working together, the auditors and IT security managers need to discover what end-user systems are operating, who is operating them and how well users are trained. They should evaluate the organization's current end-user environment and determine whether there are any special circumstances that will require extra security attention, such as remote workers or wireless devices. They should learn what kind of computer security training new employees receive and how effective that training really is. The team should also determine whether employees understand and follow the organization's existing information security policies.

The best way to obtain this data is to ask the following key audit questions:

  1. Is there a security policy that is enforced consistently across the organization? Does it cover employees who have special needs, such as remote workers and those with laptops and PDAs?
  2. Are there practices and technologies in place that can detect a security breach? What security hardware and software are users running? Do employees know how to use that software?
  3. Would employees know what to do if they detected a security violation? What would end users do if they suspected a security breach or another Internet threat?

Acquiring an operational understanding of the company's environment, as well as an understanding of what drives the employees to success, is also a vital element of the audit. Company cultures vary tremendously. Thus, the program needs to be tailored to the audience from a cultural perspective. Throughout this process, it's important to be aware of how an individual organization's employees learn and become motivated. The reason for raising awareness is to change behavior, and there are many different techniques to instill these changes within an audience.

Developing an effective program

For the design stage of an employee security-awareness program to be successful, an incredible amount of thought and effort must be invested. Long before any security policy memos are sent out or companywide meetings are scheduled, sincere effort should be made in planning, setting goals and creating a vision for the company. As with any training program, the leaders need to know where they want to go before they can get there; therefore, it's important to define a mutually satisfactory vision statement that outlines specific program objectives.

An effective program provides training and communication resources that address the problems and needs discovered during the audit. This program should include appropriate, enforceable and easily understandable computer-usage policies. It must be shaped and built around each organization's environment, making use of the positive security forces that are in place and effectively replacing the negative forces. The program should be based on security industry best practices and international security standards.

Designing the actual security-awareness program is a major undertaking and a vital part of increasing security awareness. However, it is definitely not the only important aspect in the planning process. Unless the organization's management team is on board, almost any company program is going to prove useless. Management not only has access to the bank, but they also have the power to build the program's momentum, which is needed to implement any successful companywide plan. Gaining management support can be accomplished by building a solid business case and demonstrating how the effectiveness of the program will be effectively measured.

Employing a successful program

The security awareness task force can provide valuable feedback and insight on the planning and design side, but it also plays a vital role in driving the execution and communication efforts associated with the security awareness program.

Sometime during the preliminary planning stage, a team leader should be chosen from the task force. Under the team leader's direction, the task force can help to create and approve training materials, determine the most-effective delivery methods and help to establish a theme to generate a sense of "brand recognition" around the program. Much research and discussion should take place during this phase to ensure that the most effective program is being developed.

In developing the program, it is crucial that the content supporting the program is accurate, effective and attainable. As a whole, the program should educate employees about simple things they can do to protect data, such as how to handle e-mail attachments and create and store passwords properly. Workers who telecommute or who travel frequently should understand how to secure their laptops or PDAs. In addition, the training should cover topics such as phone fraud, Web browsing, e-mail spam and instant messaging. Each of these activities can expose a company to unnecessary risk if employees are not trained to use them appropriately.

Building measurements and evaluating success

During the planning and design process of a security awareness program, task force leaders should address what it is they hope to accomplish. Remember, the purpose in creating awareness is to change behavior. It is also important to remember that in part, gaining management's support will depend on how effectively the success of the program can be measured. The audit employed earlier during the planning process should have revealed valuable information of past security practices, policies and awareness that can serve as a benchmark to measure progress against.

There are several different approaches to measuring a training program. It is valuable to develop a system that establishes who is participating, the time spent on awareness training, program completion rate, and test or quiz results. There are several types of learning management systems available that provide the infrastructure to support training content, tracking and registration. Be sure to exhaustively employ the information garnered from the initial company security audit. Evaluations made before and after training often reveal the most valuable information.

Moving the program forward

Once the program has been implemented and the results have been measured, the job is anything but done. Keeping a security awareness program alive and healthy is an ongoing corporate training and communication effort. Successful programs are a lot like marketing campaigns: Organizations should distribute little bits of information to employees on an ongoing basis. The company's internal communications team should be leveraged to ensure that the messaging is fresh and consistent with the corporate culture and the current security landscape.

Viruses, worms and blended threats are spreading at an alarming rate, thus there is a need for periodic evaluations and maintenance of end-user awareness and established training. Feedback should be sought to determine what works and what doesn't. From there, the program should be continually adapted according to those results. Feedback isn't intended to be taken and then ignored. It should be shared, passed around and discussed among colleagues.

Reactive efforts to securing data from unwanted intrusions have become a thing of the past. Such Internet security solutions are no longer effective in fighting cyberterrorism, and organizations across every industry must now take a proactive approach in educating their employees against today's pervading intrusions. By developing a powerful, effective security-awareness program, organizations can protect invaluable data while informing and fortifying their strongest and, quite possibly, most powerful link -- their employees.

Kathleen Coe is regional education director for Symantec Corp. in Cupertino, Calif.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon