Darkreading has a very good article today - Four Ways to Turn Insiders into Assets
In general, I like the idea as I'm a believer of putting more effort on security awareness and education.
Robert Lemos, the author of the article had listed down 4 ways:
(NOTE: Text in Italic are excerpt from the original article. Comments are added by me)
1. Focus on changing user behavior
When it comes to training users, about 70 to 80 percent of companies are
driven by compliance requirements and just want to get the box checked
for training their employees, says Aaron Cohen, a managing partner at
MAD Security, a security training firm.
Securityisfun: This is so true. I have seen this quite a lot. Most companies do it because the law or audit results said so. Ask yourself a question. Why do you send your kids to school? Is it because the government or law requires it? No, we send the children to school for we want them become an educated person and learn how to behave correctly starting from young. So, we all understand that education or awareness is the key. It shouldn't be any different when come to information security. We have to educate all the employees.
2. Test and retest
Videos may work for some employees, but testing their reaction to an
actual test can give a company an idea of what might happen, while
giving the worker valuable experience in what to expect in the future.
Security training company PhishMe, for example, allows companies to send
their employee phishing e-mails. Anyone who clicks on the e-mail link
will be brought to a special site to educate them.
Securityisfun: I found the idea of using "PhishMe" is brilliant and I believe it is an effective way. I did similar test with the "screen lock policy" and I can vouch that the result was indeed excellent. Sometimes, people need to learn from "mistake" :)
3. Teach the individual
Yet, periodic testing and video training are not the only ways to solve
the training problem, says Cohen. The training should be tailored to the
company and the individuals who work there.
Securityisfun: Yes. There is no one silver bullet for all. Awareness training has to be tailored for the target individuals or groups. Threat scenarios for a System Admin are not the same as that for Finance Admin.
4. Even a failure can be a success
If an attacker fools an employee into clicking on a malicious link,
submitting their credentials to a phishing site, or holding a door to
allow them in the building, a properly trained employee can still act on
their suspicions and correctly respond to the threat. An employee that
reports any misgivings about an event can help a company respond in
minutes or hours, before any damage has happened.
Securityisfun: Good point. If an employee realised that he/she had been phished and immediately took action to report the incident, immediate countermeasure could be taken to minimize the damage. Employer should praise such employee for reporting the incident instead of blaming or punishing him/her.
Acknowledgement - http://www.flickr.com/photos/bsabarnowl/7045688417/sizes/m/
No comments:
Post a Comment