Time to Remind Users of Security Responsibilities

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
Today as I was walking through the parking garage after work, I wasvaguely aware of the loud beeping of a car alarm in the background. Ididn't stop. I didn't even turn my head.

As I got into my car, I realized that a few years ago when a car alarmwent off, everyone stopped to look. Now, everyone continues on with theirbusiness.

And I wonder how effective the car alarm is.

The same reaction has occurred with many security threats. For example,viruses and worms are no longer encountered with horror. When they firststarted to attack our systems and networks, people panicked at the verythought of them. The first worm made headlines in our daily newspapers,as well as on the evening news. Today, they have become so commonplacethat only security types really worry -- and even then we rely on oursoftware and hardware to 'catch' them.

Is this bad?

Complacency can be detrimental to a security program. As people becomelax with their security responsibilities, the risk for security breachesbecomes higher. It's a direct trade off.

However, getting people to remember their security responsibilities canbe a challenge.

One way to do just that is to conduct annual training. The federalgovernment already has this requirement. Annual training should cover thefollowing areas -- at a minimum:

  • Identification and Authentication -- This includes passwordprotection, length of the password, and other computer identificationissues;
  • Security Breaches -- Make sure it's decided and well known as to whoshould be notified and what action should be taken if you suspect that asecurity breach has occurred;
  • Social Engineering -- Many people do not understand that socialengineering is one method of getting around the software/hardwaredefensives. If someone you do not know well begins to ask lots ofquestions regarding your work, your boss, your office building... youshould be suspicious;
  • Ethics -- Security responsibility requires ethics. You need to feelsure that workers will not attempt to go around the security devicesinstalled, or go probing into areas where they have no business being.Make sure you make these rules clear, and make sure employees know whatthe consequences will be if they break them.
  • Best Practices -- A short overview of industry best practices alwaysis a good idea.

    Another area of enhancing security is to implement and enforce thesecurity policy for the network/system. If people understand the policy,and know that to break the policy will result in punishment, then theywill be more likely to uphold the security policy.

    Strong management is necessary to make a security policy work.

  • Submit a Comment

    Loading Comments...