Employee Security Training: Beyond Posters
Your employees need more than slogans. Here's how to get them to take security seriously
April 17, 2006 (Computerworld) --
It's the kind of breach that companies fear: workers giving out network log-in names or changing passwords when asked to by someone posing as an IT staffer.
The best firewalls on the market can't protect against such scenarios.
"Why even lock your doors if employees happily hold them open for a stranger following behind them?" asks Alex Ryan, security officer at VeriCenter Inc., an IT infrastructure and managed services provider in Houston.
The risk that employees pose is significant. They can fall prey to social engineering, a fancy term for being conned. They can ignore company policy by failing to encrypt sensitive data. Or they might install unauthorized software that can corrupt the system.
Think you're well protected? Recent findings from the Computing Technology Industry Association might convince you otherwise. In this year's CompTIA information security study, 59% of the organizations surveyed indicated that their latest security breaches were the result of human error alone. That's up from 47% last year.
Despite such statistics, many companies fail to do enough to educate their workers. That's what the Internal Revenue Service discovered, according to a March 2005 federal government report.
Federal inspectors posing as IT help desk staffers trying to correct a network problem called 100 IRS managers and employees and asked them to provide their network log-in names and temporarily change their passwords to ones they suggested. Inspectors persuaded 35 IRS workers to do just that.
This success came despite IRS efforts to educate employees.
Dan Galik, the IRS's chief security officer, says his agency "re-energized the awareness program" following the report. In addition to annual reviews, posted announcements and online courses mandated under the 2002 Federal Information Security Management Act, Galik says the agency has added some innovative approaches.
One was a Jeopardy-style game held last November during which workers tried to give the right answers on security-related topics.
"You've got to come up with something that will stick," Galik says.
Here are some other practices that have proved effective in getting the message across.
Make It Personal
"Many employees worry about their home machines' security. Leverage that concern to promote general security principles that can be applied at both home and work," Ryan says. "It's a way to make people personally interested in security." She e-mails employees newsletters with tips that alert them to the latest scams or viruses that could affect both their work and personal PCs.
Source: Exclusive Computerworld survey, March 2006 |
|
Companies can also use personal examples to show what they're trying to achieve on a corporate level, says IT security expert Candy Alexander, a consultant at Alexander Advisory LLC in Merrimack, N.H. For example, companies can tell workers that protecting passwords is no less important than protecting their debit cards' PINs.
 |
Employee Security Training: Beyond Posters
|
|
|
Too much junk food, too little exercise and a 24/7 tether to technology? Your body ain't happy, friend. Let us count the pains.
Instruments on the surface of Mars have detected falling snow that is likely evaporating before it reaches the planet.
One positive development stemming from the collapse of Wall Street may be a boost in interest in computer science and IT careers among students who were previously interested in financial services jobs.
Getting new software installed on Linux doesn't have to be hard, but it can differ depending on what you're installing.
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
Four years from now, the IT field will be a vastly different place. Will you be ready?
|
 |
| From Laggard to Leader: Transforming the Data Center From Laggard to Leader: Transforming the Data Center Register for this complimentary webcast today! Go to the webcast |
|
| Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing |
|
| Intercept Spam & Viruses Download this whitepaper to learn how to outsmart spam & viruses, compliments of MessageLabs. (Source: MessageLabs) Register for a complimentary 30 day trial of MessageLabs' new managed Anti-virus and Anti-spam security solutions. MessageLabs guarantees complete protection against all known and unknown email threats. By providing 24 hour support, your business can increase productivity and decrease risk.Register now for a complimentary trial and receive a free datasheet. Download this white paper |
|
| White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. | View more whitepapers |
|
|