November 28, 2006

Some of the worst security problems originate from stupid things end users do -- from the seemingly obvious no-no of opening attachments from strangers, to connecting to the closest WiFi connection while on the road. Training, therefore, is a critical, but often overlooked, element of your security strategy. (See The 10 Most Dangerous Things Users Do Online.)

And that standard annual, 30- to 60-minute security awareness training session, where you pack in "everything" your users need to know about security, is no longer enough. "Many times, this is too much for the average user to absorb to be effective," says Todd Fitzgerald, systems security officer for United Government Services. "More frequent security reminders are needed in a way that is understood by the end user."

Security awareness training should be more "in your face" and "real," with things like posters, computer-based training, compliance tracking, and face-to-face interactive training, Fitzgerald says.

But today, security training isn't necessarily mandatory, and it's rarely a priority. Companies see security as more of a technical rather than a cultural issue, so organizations rely mainly on their investments in firewalls, antivirus, intrusion detection, and vulnerability assessment and penetration testing to protect their infrastructure and data, Fitzgerald says. But training employees is equally as important.

And many companies establish security policies and train their users initially, but when their policies or technologies change, they don't bother to re-educate users, experts say.

"Training is pretty rudimentary, and that's the problem," says Consilium1's Kelly.

Many companies miss things like process engineering, Kelly says, and putting in the proper policies. "If your vendor calls in for a password reset for their ID, for instance, how do you know they are authorized, and that it's the actual person you should be talking to? A lot of organizations don't have a good answer for that," he says. Back-end processes that identify users aren't necessarily in place, he says.

"You want the help desk to know they are giving the password to the right person and not to a social engineer."

Still, there's no easy way to measure how effective your security awareness and training program really is. The key to a good training program is identifying your audience and the level of training they need to do their jobs, Fitzgerald says. End users and technical staffers each require different types of training goals, he says, so be sure you're fashioning it properly for each group.

If you still need some incentive to beef up your organization's security awareness and end-user training, consider this: Top execs are typically not well-educated in security awareness, which is a key reason IT security doesn't always get the support and funding it needs.

Got your attention now?