Employee Security Training: Beyond Posters

Mary K. Pratt   Today’s Top Stories    or  Other Security Stories  

Data Protection and Disaster Recovery with iSCSI and VMware Disaster Recovery Simplified - iSCSI and VMware Site Recovery Manager Deliver Results Learn from the latest Internet Security Threat Report update Case Study: Simplified DR Planning and Implementation Virtualized iSCSI SANs: Flexible, Scalable, Enterprise Storage for Virtual Infrastructures Case Study: Consolidating Servers While Keeping Them in Sync with DR Sign up to receive Security Resource Alerts

April 17, 2006 (Computerworld) -- It's the kind of breach that companies fear: workers giving out network log-in names or changing passwords when asked to by someone posing as an IT staffer.

The best firewalls on the market can't protect against such scenarios.

"Why even lock your doors if employees happily hold them open for a stranger following behind them?" asks Alex Ryan, security officer at VeriCenter Inc., an IT infrastructure and managed services provider in Houston.

The risk that employees pose is significant. They can fall prey to social engineering, a fancy term for being conned. They can ignore company policy by failing to encrypt sensitive data. Or they might install unauthorized software that can corrupt the system.

Think you're well protected? Recent findings from the Computing Technology Industry Association might convince you otherwise. In this year's CompTIA information security study, 59% of the organizations surveyed indicated that their latest security breaches were the result of human error alone. That's up from 47% last year.

Despite such statistics, many companies fail to do enough to educate their workers. That's what the Internal Revenue Service discovered, according to a March 2005 federal government report.

Federal inspectors posing as IT help desk staffers trying to correct a network problem called 100 IRS managers and employees and asked them to provide their network log-in names and temporarily change their passwords to ones they suggested. Inspectors persuaded 35 IRS workers to do just that.

This success came despite IRS efforts to educate employees.

Dan Galik, the IRS's chief security officer, says his agency "re-energized the awareness program" following the report. In addition to annual reviews, posted announcements and online courses mandated under the 2002 Federal Information Security Management Act, Galik says the agency has added some innovative approaches.

One was a Jeopardy-style game held last November during which workers tried to give the right answers on security-related topics.

"You've got to come up with something that will stick," Galik says.

Here are some other practices that have proved effective in getting the message across.

Make It Personal

"Many employees worry about their home machines' security. Leverage that concern to promote general security principles that can be applied at both home and work," Ryan says. "It's a way to make people personally interested in security." She e-mails employees newsletters with tips that alert them to the latest scams or viruses that could affect both their work and personal PCs.

Source: Exclusive Computerworld survey, March 2006

Companies can also use personal examples to show what they're trying to achieve on a corporate level, says IT security expert Candy Alexander, a consultant at Alexander Advisory LLC in Merrimack, N.H. For example, companies can tell workers that protecting passwords is no less important than protecting their debit cards' PINs.

If you have the luxury of getting people into a classroom for training, Ryan recommends a little live action to drive home the message. She has enlisted students during classes to act out roles, such as a hacker and an administrative assistant. She instructs the hacker to pressure the assistant for his computer password with techniques that real-life social engineers use.

Companies also shouldn't underestimate the power of publicity, says IT security expert Jim Litchko.

He points to a situation that played out at a government intelligence agency where a senior official, against agency policy, brought in a disk that turned out to contain a virus. The agency fired him and let everyone know it.

"To those people who value their jobs, it's very effective" in highlighting the importance of security, says Litchko, president of Litchko & Associates Inc., an IT consulting firm in Kensington, Md., and past chairman of the IT security council for ASIS International, an organization of security professionals.

Employees should also have simple steps to follow if they suspect security problems. Litchko says one company had stickers on its computers providing information on typical scams, along with a number to call for help.

Integrate Security Awareness

Companies that consider security training an annual event are missing out on opportunities to make security part of the everyday culture, says Jonathan G. Gossels, president of SystemExperts Corp., a Sudbury, Mass.-based network security consulting firm.

Gossels recommends leveraging ongoing training events. He notes that one client, a large chemical company, incorporates security components into its regular professional development courses.

"No one would take time out to take a security course, but to take 15 minutes in another course works well. And they're able to tune the security message to the people taking the course," Gossels says.

Also, don't let security become an "out of sight, out of mind" issue, says Litchko.

"It has to be a continual thing. You can't just put up a poster and keep it there a year. It needs to be constant and varied."

In addition to her monthly security newsletters, VeriCenter's Ryan regularly e-mails summaries of news articles related to IT security.

Another way to keep security on everyone's mind is to use technology itself to remind them, says Joel Rakow, the e-crimes practice leader at Tatum LLC, an executive consulting and services firm in Atlanta. Companies can have security-related tips and reminders -- like "Our data is sensitive information," or "Customer information is available on a need-to-know basis" -- flash up on screensavers.

Like so much else in IT, security training should not take a one-size-fits-all approach, says Susan Hansche, program manager at Nortel Government Solutions Inc., a Fairfax, Va.-based company that provides information-assurance training programs to the U.S. Department of State.

Hansche recommends role-based training, where the messages and action items are targeted to specific audiences. Her company, for example, uses eight different role-based programs to train 1,000 State Department employees annually. The courses for executives are different from those for senior-level managers and general end users.

Alexander has taken a similar approach to training. She says executives like war stories, middle managers prefer presentations that give them checklists of action items, and general end users like information in small, easily digestible chucks.

When Alexander worked at the former Digital Equipment Corp., she developed a scavenger hunt that asked workers to find 10 items related to security on the company's Web site. Those who got all 10 were entered into a drawing to win a mug.

You might be surprised to learn that the nonmandatory event drew in more than 70% of the company's worldwide workforce. "Positive competition is really beneficial," Alexander says.

K Rudolph says she has seen similar success with competitive programs. Rudolph is a Certified Information Systems Security Professional and chief inspiration officer at Native Intelligence Inc., a company in Glenelg, Md., that provides IT security awareness services to government agencies and private industry.

She says one of her clients implemented a "news hawk" program, where the first employee to bring in a news story on IT security gets a prize. Prizes have ranged from time off to movie tickets. The awareness team then distributes the news item through a weekly e-mail or its periodic newsletter.

Make It Fun

IT security is a serious topic, but security officials have found that some levity helps keep workers' attention.

Alexander, like many others, has used Web-based training to educate employees on security topics and used online quizzes to test their knowledge. Although the material covered significant topics, she still found ways to elicit some smirks. For example, the multiple-choice answers for "What is social engineering?" included "a college degree" and "a job on a cruise line" -- obviously false answers infused with a hint of dry wit.

"It's not extremely silly," Alexander says, "but it's something to make people remember."

Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt@verizon.net.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

Would Your Workers Pass the Test? Employee Security Training: Beyond Posters

"Security people can talk until they're blue in the face about the dangers of unsecured Windows PCs and how they..." Read more... "Despite some progress, many federal agencies appear unlikely to meet an Oct. 27 deadline for completing the roll-out of new..." Read more... Read more Security posts or See all Blogs

XP SP3 cripples some PCs with endless reboots Microsoft to patch four bugs on Tuesday Web attack worm on a rampage More top stories...

Microsoft grows DAISY for blind computer users while Adobe wilts Leopard at six months: Does it live up to the early hype? Mozilla shipped worm with Firefox add-on

5 easy ways to commit career suicide Mistakes such as putting down co-workers or burning bridges when you resign are surefire ways to darken your career prospects. Here's how to avoid them Opinion: Get ready for these 6 game-changing technologies Hype and promises abound in the IT world, but these six breakthroughs really will change your life, says author and former IT manager John Brandon. What brain drain? Baby boomers are retiring and taking their knowledge with them. Why do so few in IT seem to care? Tales from the crypt: Our first computers Computerworld editors share stories of their first PCs, including some classics and some real clunkers -- then we ask readers to share their early-PC tales. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? This webcast will air on Wednesday, May 7th at 2:00 PM EDT/11:00 AM PDT. Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Eliminate SPAM, Gain Productivity Get this white paper now! (Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. License Optimization: Get to One Version of the Truth Gaining Insights Through Analytics Butler Technology Audit Report View more whitepapers

• Would Your Workers Pass the Test?
• Employee Security Training: Beyond Posters

• XP SP3 cripples some PCs with endless reboots
• Microsoft to patch four bugs on Tuesday
• Web attack worm on a rampage
• More top stories 

Security Management Zone Security management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones



Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits



Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs. Download this briefing



In Security There's plenty of talk about how to behave during a Customs search of your computer and gear, but Jon Espenschied's got tips for securing your data (and privacy) before you reach the border. Click here to read the latest column by Jon Espenschied