Time to Remind Users of Security Responsibilities
Getting people to remember their security responsibilities can be a challenge. But it's worth the effort.
As I got into my car, I realized that a few years ago when a car alarm went off, everyone stopped to look. Now, everyone continues on with their business.
And I wonder how effective the car alarm is.
The same reaction has occurred with many security threats. For example, viruses and worms are no longer encountered with horror. When they first started to attack our systems and networks, people panicked at the very thought of them. The first worm made headlines in our daily newspapers, as well as on the evening news. Today, they have become so commonplace that only security types really worry -- and even then we rely on our software and hardware to 'catch' them.
Complacency can be detrimental to a security program. As people become lax with their security responsibilities, the risk for security breaches becomes higher. It's a direct trade off.
However, getting people to remember their security responsibilities can be a challenge.
One way to do just that is to conduct annual training. The federal government already has this requirement. Annual training should cover the following areas -- at a minimum:
Another area of enhancing security is to implement and enforce the security policy for the network/system. If people understand the policy, and know that to break the policy will result in punishment, then they will be more likely to uphold the security policy.
Strong management is necessary to make a security policy work.