Security training and education: the most important company-wide security policy

‌‌

Even if you’re not always up on the latest news, you’ve heard about recent data breaches at a handful of big companies. Within the past few years, Target, Home Depot, Anthem and eBay have all fallen victim to data breaches that affected more than 300 million accounts. Even the federal government has suffered data breaches affecting millions of employees. Given these high-profile hacks, you might wonder, what’s the most important thing you can do to protect data in your organization? The answer may surprise you.

How security threats easily happen within companies

Imagine an employee in sales or marketing. He’s worried about getting his job done faster, better and more efficiently. In fact, his next promotion probably depends on it. He finds an app that helps him manage his projects and time better, so he signs up and downloads it to his laptop. At this point, he’s not worried about someone reading his email or getting the information he’ll put in the app, he just wants quick, easy access. So he uses an easy to remember password, something like pass1234.

I asked you to imagine this scenario, but if you’ve been in IT for more than a year or two, you can probably think of several real situations when this has happened. These days, a lot of the data hacks we see aren’t breaches on company servers (though they happen too). Usually it’s something around bad password management or reusing the same password for multiple applications and websites. Hackers get in one place, then gain access to sensitive information elsewhere with the same password. So whose responsibility is it to make sure this doesn’t happen?

Certainly employees bear responsibility for following security procedures. But they’re not always thinking about how their behavior affects security. Their concern is getting their work done efficiently. And an impossible-to-remember 16-character password doesn’t help them do that. So it falls on the IT team to own that education throughout the organization. We need to help employees understand the potential impacts on security due to their behavior. Then, follow that up with training and products that make it easy to do the right thing.

Another typical scenario involves—shadow IT—a marketing team that hires a junior developer to help write an internal application to support the team. The app connects to a company database and gives the marketing team the information they need. But unknowingly, it creates a new risk. The developer may not know what a SQL injection is. He doesn’t even know the questions to ask about this risk because he’s inexperienced. He’s just building the app, doing his job.

Let’s talk about one more. Jason in HR receives an email from his CEO late Friday afternoon. The email reads:

Please send me our most up-to-date employee directory and comp review. I need it before the weekend so feel free to just send me a dump of all the info. No need to polish it up. Thanks.

Jason whips into action sending the documents to “his boss” not wanting to let her down. What Jason doesn’t realize is the email name is spoofed and he sends the file to an attacker instead. The attacker got his info from LinkedIn and only had to guess an email address (most companies have standard naming conventions that are easy to decipher.) Now that attacker has all the names, addresses, social security numbers and more for the employees at that company. Social engineering is commonly used now as an attack, or at least a point of entry, knowing that people are, in many cases, the weakest link in a system’s security.

It’s not that IT isn’t trying. They are. But the usual approach may not be as effective as it could be. Typically the security team will send out an email blast to the entire organization that says something like:

Here’s the tech debrief we received on Shellshock, a bug affecting all Unix and Linux Systems. Please read, change your behavior as needed and follow the documented mitigation steps.

OR

Due to the recent exploitation of our internal systems, all new application requests must be reviewed by our internal IT team. Any unauthorized apps will be blocked and traffic will be quarantined…

This doesn’t provide any value to the business and creates additional responsibility for an IT team that is already stretched thin. Instead, IT needs to consider the needs of the organization and how they are using technology in their jobs and identify ways to educate all those in the company to be aware of the security risks they take and their potential impact.

Why your IT team should educate the entire company on security

What if the security team took a different approach? Could they put together some video training that shows how a thief could sniff passwords off the local Starbucks wi-fi? Demonstrate how it can be done with $100 of hardware, a battery and a backpack. IT’s job is to make the information consumable and actionable. Rather than enforce with an email very few will read, show the dangers employees are creating if they’re not connecting through the company VPN. Make it concrete and actionable. Show the ease at which someone can be exploited.

Training like this requires an upfront investment of time, but the actual payout in the long-term is highly beneficial. When employees understand the risks, your support team will find itself fixing and putting out fires less often. And that opens up the possibility of spending that time focusing on bigger threats, penetration testing and really monitoring network traffic to identify other potential issues.

Enforcing good password practices is a no brainer. Most identity management tools have good password policies built into them. But it’s amazing how often those things are turned off. Maybe the CEO decides she doesn’t want to change her password every 45 days. So changes are made to the identity management tool that eliminates this requirement for her. But the CEO and other executives  are some of the people in an organization who hackers target most because many times they will have complete access to the data systems. Again, it’s up to IT to educate everyone about the very real risks this behavior creates.

Even with education, things will go wrong. Employees will fall for phishing schemes or download infected files from a site they shouldn’t be visiting in the first place. When a vulnerability is identified, it helps to have a culture of openness and support within your IT team, versus being close minded and hard to work with.

If you want employees to come to you when they’ve made a mistake (rather than wait until you discover the damage has spread throughout the organization), don’t treat them like an enemy or a prisoner. They probably already feel naïve for making the mistake. They may even feel guilty for viewing a website that they shouldn’t have been on. Instead of inflicting punishment, help them get back up and running as quickly as possible. Then educate and find ways to turn them into evangelists.

When your IT team acts as a partner, trainer and advisor, rather than gatekeeper and punisher, you’ll create a company culture where everyone is concerned about security. Ultimately, it falls on the IT team to own that education, enabling, innovating and supporting the other departments and divisions within your organization. And that’s the most important security policy you can establish in your organization.

Keep your organization secure. Watch our webinar: Builders vs. breakers: 10 online attacks that we could have easily prevented

 

Contributor

Gary Eimerman

(VP of IT Pro Content) heads up the IT pro curriculum at Pluralsight. He brought his expertise over from TrainSignal, where he spent eight years helping to grow the company into the leader in online IT training. Gary has a B.B.A. in Management Information Systems from University of Iowa and brings hands-on experience with computer hardware, networking and administration, as well as a passion for education, to the Pluralsight team.

You can follow him on Twitter: @garyeimerman.