01:53 PM
The Staff of Dark Reading
The Staff of Dark Reading
Connect Directly

Top 10 Most Overlooked Aspects of IT Security

Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?

Some of the worst security problems originate from stupid things end users do -- from the seemingly obvious no-no of opening attachments from strangers, to connecting to the closest WiFi connection while on the road. Training, therefore, is a critical, but often overlooked, element of your security strategy. (See The 10 Most Dangerous Things Users Do Online.)

And that standard annual, 30- to 60-minute security awareness training session, where you pack in "everything" your users need to know about security, is no longer enough. "Many times, this is too much for the average user to absorb to be effective," says Todd Fitzgerald, systems security officer for United Government Services. "More frequent security reminders are needed in a way that is understood by the end user."

Security awareness training should be more "in your face" and "real," with things like posters, computer-based training, compliance tracking, and face-to-face interactive training, Fitzgerald says.

But today, security training isn't necessarily mandatory, and it's rarely a priority. Companies see security as more of a technical rather than a cultural issue, so organizations rely mainly on their investments in firewalls, antivirus, intrusion detection, and vulnerability assessment and penetration testing to protect their infrastructure and data, Fitzgerald says. But training employees is equally as important.

And many companies establish security policies and train their users initially, but when their policies or technologies change, they don't bother to re-educate users, experts say.

"Training is pretty rudimentary, and that's the problem," says Consilium1's Kelly.

Many companies miss things like process engineering, Kelly says, and putting in the proper policies. "If your vendor calls in for a password reset for their ID, for instance, how do you know they are authorized, and that it's the actual person you should be talking to? A lot of organizations don't have a good answer for that," he says. Back-end processes that identify users aren't necessarily in place, he says.

"You want the help desk to know they are giving the password to the right person and not to a social engineer."

Still, there's no easy way to measure how effective your security awareness and training program really is. The key to a good training program is identifying your audience and the level of training they need to do their jobs, Fitzgerald says. End users and technical staffers each require different types of training goals, he says, so be sure you're fashioning it properly for each group.

If you still need some incentive to beef up your organization's security awareness and end-user training, consider this: Top execs are typically not well-educated in security awareness, which is a key reason IT security doesn't always get the support and funding it needs.

Got your attention now?

8 of 10
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.