I’ve spent quite a lot of time recently working on some material for a new Foursys training course, which is aimed at raising security awareness amongst regular users. Preparing the course meant spending time researching the kind of issues that however obvious they may be to a techie, end-users simply don’t care about or understand. The challenge, as I saw it, was finding a way of presenting these problems to our employees whilst remaining largely non-technical, and making the information relevant and genuinely useful.
My approach to this was actually fairly simple – trying to blur the line between workplace and personal security. Lecturing staff about the importance of passwords in the workplace is not interesting or useful, whilst explaining to them how a criminal might hijack their credit card information is. The basic message is the same, use good passwords - be careful with open wireless - don't ignore certificate errors, you get the idea.
Another important aspect when it comes to end-user education is the attitude of your IT department, something not so easily dealt with in a half-day training session! A recent article on DarkReading.com (http://bit.ly/xGTGC0) contained a statistic that, on the face of it, surprised me. They claimed that in the US only just over 1% of all IT staff were in information security. I’m convinced that the number can’t be that reliable – and what is classed as an InfoSec role? – however it did get me thinking.
Some positions are obviously security orientated (security officers et al), but all technical positions are security related. This seems quite obvious really, from 1st line support technicians through to developers - DBAs - IT managers - server operators, every single position should have security at the very centre of everything they do. For most IT pro’s security is not something they do; rather it is the way in which they do something.
All too often IT staff are not encouraged to work in a secure way – and you don’t usually have to look far to find examples. I frequently encounter organisations where IT staff routinely do things such as asking users for passwords, removing antivirus software to “fix” issues, using seriously awful passwords for administrator accounts, and so on. All of these violations are ones we’d chastise an end-user for, and in fact we’ll often specifically tell them they mustn’t do such things – so why should it be any different for us?
Usually these misdemeanours are full of good intentions, and help us appease the end user who’s having a problem – but whilst asking their password so you can logon and resolve an issue over lunch might be easy, it’s sending all the wrong messages to the user.
Educating our users is clearly a crucial part of any organisation’s information security strategy, but IT departments need to keep their side of the deal as well. We too must ensure that everyone from helpdesk technicians up to the IT director follows the same rules, and that we no longer undermine those rules and policies we impose on the rest of our employees. So next time there’s a security incident stop for a moment before you blame a user and ask yourself, could I have done anything more to prevent it?
Follow Stuart on twitter @Stuart83w