Oct 23 2007

On Their Toes

How technology companies make sure employees always have security on the brain — and what their awareness and training efforts can teach agencies.
by

Heather B. Hayes has been covering technology, business and education topics for more than 20 years and has written more than 2,000 published articles. She lives in Virginia.

At first glance, employees at an annual security awareness training seminar at Cisco Systems might believe that the short video they’ve been asked to view is one of those “Law and Order” episodes — “ripped from the headlines.”

The camera fixes on a handsome but callous prisoner who sits in a dark interrogation room and slowly confesses to police how his planned day of data thievery went completely awry.

His target? Executives at a busy conference, all a bit distracted as they conversed and traveled from meeting to meeting carrying notebook and handheld PCs as well as briefcases full of proprietary and sensitive corporate information. It was, the thief says, “the perfect setup.”

But in this “episode,” a cadre of surprisingly well-trained and quick-thinking employees foils his sophisticated effort to charm his way in and steal as much hardware and insider information as possible.

The story line in the video is, of course, fictional, but the scenario is plausible in a world where cybercriminals’ motivation derives from financial and political gain rather than mischief.

“Every employee of any organization is a potential target of an information thief,” says Mia Bradway Winter, Cisco’s security awareness program manager. “And we want our employees to realize that, yes, it’s a dangerous world out there, and that these are the kinds of things that can happen. But if they are aware of what the threats are and know how to react in a given situation, they can prevail.”

About People

Major computer manufacturers and information technology security companies may have the latest and greatest in encryption, intrusion detection systems, personal firewalls, antivirus applications and other data protection must-haves, but they still recognize that human nature with its potential for fallacy and foible remains the chief security vulnerability. For this reason, developing effective internal security awareness and training programs is a top priority for even the biggest technology companies, and their experiences offer lessons that agencies can also adopt when developing and fine-tuning their training programs.

Security awareness programs succeed using many approaches, but the most effective have some common denominators, according to corporate officials. They are tied to the overall security policies of the organization but build on grass-roots support from within the organization; they are positive — even entertaining — in the way they teach and motivate; they are designed to meet the unique needs of different employee functions and communication styles; and they are ongoing and pervasive, rather than just one-time events.

“It’s important to remember that employees really do want to do the right thing,” says Lee Futch, product manager for educational services at Symantec. “And you can’t really hold them accountable until you’ve made them aware of the different threats that are out there and what they need to do to protect against them.”

Threats tend to exploit the human factor, says Tim McKnight, vice president and chief information security officer at Northrop Grumman Information Technology, citing phishing, social engineering, spear phishing and other attacks that trade on trust. “Obviously, we can’t take users out of the equation. The key is developing a program that can produce sustainable behavior change.”

Futch agrees, noting that technology is no panacea in today’s environment. “You can have the absolute best firewall in the world, but that won’t do you any good if somebody can talk the boss’s secretary into giving up his password,” Futch says. “Employee training in security is probably the best investment that an organization can make to help protect their information.”

Diffuse the Knowledge

Security and education officials at major technology corporations say that their approach has changed in recent years by focusing less on the technical nature of security and more on it as a bona fide business function.

That reality is one reason why John N. Stewart, Cisco’s CISO, decided to ask Winter, who spent her career in public relations, investor relations and internal communications positions, to lead the company’s new security awareness training program.

One of Winter’s first initiatives was the Cisco Security Champion Awards, which recognize employees who take the initiative to improve security within their own business unit. Security champions win money and other prizes, companywide recognition, a highly visible plaque that’s hung in the lobby at company headquarters and membership in a rarified security ambassador group.

“What we’re trying to do is to build a network of folks that we can rely on throughout the different regions, so we can provide content and messaging and they can take it further into the organization,” she says. “We want the security awareness program to go beyond the training and into the company where it has its own legs and arms.”

Stay in Their Face

Keeping security front and center and on the brain, so to speak, is a critical component of a successful awareness program, and just because employees and new hires go through a course and test successfully on their security knowledge doesn’t mean the job is complete, says McKnight.

“At the end of the day, the most important thing a company can do in the area of security awareness is ‘repeat, repeat, repeat,’ ” he says. “It is our job to make sure that we find as many opportunities and methods available to us to deliver the message.”

1 million

Computers across the country compromised by botnets, unbeknownst to their users.

SOURCE: FBI

Symantec, for example, offers regular Web-based refresher courses and routinely sends out short e-mail messages, either alerting staff to new threats or just communicating friendly reminders of good security practices. Cisco has come up with a number of simple, pithy security messages that are displayed around offices, on screen savers and on promotional items such as pens and name holders.

Still, says McKnight, organizations have to be careful about overcommunicating to the point that users lose interest. The key, he says, is to be as creative as possible. Many companies, including Northrop Grumman, use giveaways, interactive games and contests that test the security knowledge of employees. “These have been met with enthusiastic response,” he says.

Northrop Grumman has even extended its awareness and training into the communities where employees live, engaging with the local school systems to also teach their workers how to protect their children from Internet dangers.

Speak Positively; Carry a Big Stick

At the same time, it’s important to make sure that employees understand how easily security breaches can happen if users grow complacent.

John Lainhart, a partner and security, privacy and wireless service area leader for IBM Global Business Services, provides information security awareness training for federal agencies. He says one of the most effective things he does is to show rather than tell how security breaches can occur. He and his team have gone “dumpster diving” in front of a group of trainees and uncovered papers with user names and passwords written on them or walked unimpeded through the back door of a computer center used by employees during smoke breaks. “It’s a dramatic way to get their attention,” he says.

This type of approach also helps bring home to employees the dangers of the insider threat. People trust their colleagues, and that can make them more lax about security practices when they are inside their place of employment. People want to trust their colleagues, but in fact, he says, “a lot of them have the keys to the kingdom.”

Although a positive approach works best with employees, it’s important to at least let them know the negative consequences of their actions, says John O’Leary, director of education for the Computer Security Institute, which works closely with several high-tech companies on security awareness training. “A policy needs to have teeth if it’s going to be effective,” he says. “That’s a point that should be told at least once, although you probably shouldn’t dwell on it too much. Fear is not the most effective motivator.”

Do It Their Way

Getting the security message across effectively also requires a strong understanding of how employees learn — and learn differently — security officials say. Work responsibilities and security needs differ from CEOs to IT specialists to administrative assistants to telecommuters. Some employees prefer instructor-led seminar training, while others like multi­media and Web-based training that they can do in their spare time. Some like to go to a Web site for information; others prefer updates and information pushed out to them via e-mail.

“When you’re talking about reaching and impacting people, you’re talking about a lot of variables being involved,” Symantec’s Futch says. “You cannot approach this as a one-size-fits-all program and expect it to work. You’ve got to know who your employees are and how they like to consume information and really develop and evolve your program to meet those different needs.”

Done right, though, a security program can result in a workforce that is up to the challenge of thwarting attacks, says Cisco’s Winter. “If you get people on board and enthusiastic about helping the organization protect itself, then what happens is you start reaping this culture of security, and it just starts building its own momentum,” she says. “People take actions and help each other, and the behavior you were trying to create in people just becomes second nature to them.”

What's the ROI?

People are, by nature, “squishy,” as some security awareness managers like to describe them, so finding a way to gauge the return on investment of a program that seeks to change people’s behavior is pretty tough. It’s also absolutely necessary, says John O’Leary, director of education for the Computer Security Institute.

“Summing it up with a dollar figure is not something you can really do, but you’ve got to come up with some metrics that show that you’re making a difference and also to somehow justify to management the amount of money that you’re spending on these types of programs,” he says.

A good ROI effort will also give agencies some idea of whether or not they should tweak their subject matter or training style.

Lee Futch, education program manager at Symantec, suggests using a tracking system, perhaps within a learning management system, to help determine whether there’s any progress on, say, the use of passwords that meet policy requirements.

Organizations can also come up with a list of objectives for behavior change and then take before-and-after measurements to determine impact. Those metrics can include:

  • The number of crackable passwords.
  • The number of employees who complete security awareness programs in a given year.
  • The number of hits on a security awareness Web site.
  • The percentage of notebooks that have complete file encryption implemented or that have privacy filters installed.
  • The number of employees who pass or fail impromptu security quizzes.
  • The number of calls to the help desk because of suspicious e-mail.
  • The number of minutes the network is down because of a virus or attack.

O’Leary cautions, however, against taking any set of collected statistics at face value.

“You really have to be careful in how you interpret those metrics, though, because, in the case of help-desk calls, it could be that people are more attuned to security or that they know less than they should about what they’re experiencing,” he says. “It’s all in how you look at it.”

Quiz Me

Here are some of the questions Symantec uses to quiz employees on security knowledge after they have finished an internal awareness program.

Which three elements should your password include?

  • Upper case letters (TRUE)
  • Lower case letters (TRUE)
  • Numbers at the beginning (FALSE)
  • Numbers at the end (FALSE)
  • Special characters (TRUE)
  • Words that can be found in a dictionary (FALSE)

Which of the following statements is true regarding instant messaging?

  • Instant messages are transmitted in an encrypted format. (FALSE)
  • Instant messages are transmitted in unencrypted (clear text) format. (TRUE)
  • It is not possible to become infected by a virus when using instant messaging. (FALSE)
  • Instant messaging is an acceptable medium for exchanging confidential information. (FALSE)

You receive an e-mail that appears to originate from your bank. It states that because of a software upgrade, you must re-register your account and provides a link for you to do so. What should you do?

  • Click on the link and re-register your account. (FALSE)
  • Run a virus scan. (FALSE)
  • Call your bank to verify the information in the e-mail. (TRUE)
  • Forward the e-mail to friends who also use the same bank. (FALSE)
Photo: Erik Isakson/Getty Images

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now