This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
It's time once again for security vendors and practitioners to make their annual pilgrimage to the RSA Security Conference. Tens of thousands of people are gathering in San Francisco to look for technology solutions to reduce the likelihood of cyber attacks or other security incidents. Perhaps you are one of them.
But while technology is good, and quite necessary, it can't work in a vacuum. People are still the weakest link in the security chain. For this reason, Kaspersky Lab has published a short e-booklet with Top 10 Tips for Educating Employees about Cybersecurity. Utilizing these tips along with good security technology will go a long way in helping protect your business from security events. With my regards to Kaspersky, I'll summarize their best practices here:
* Involve employees in cyber security. People are more likely to take ownership of their obligations and responsibilities for protecting the company's computing assets if they are actively involved in the process. Inform them of the risks and vulnerabilities and teach situational awareness. But keep in mind that people make mistakes, so don't lay blame when incidents do happen.
* Don't exempt the executives from their responsibilities toward cyber security. Sure, the CEO and the senior vice presidents are busy running the company, but that's no reason to give them a pass on security awareness training. In fact, these folks are prime targets for spear phishing because of the high level access they have to people and sensitive information, so it's vital they learn what to watch out for.
* Make cyber security a part of your corporate culture. When something is an inherent part of the culture, people are instinctive about it and they really care about it. Offer regular sessions where you can discuss real world examples of security incidents, and make it relevant to what people do. Include cyber security training when you are onboarding new employees. Reward people for doing positive things like refreshing their awareness training.
* Coach employees on the dangers of social engineering. People are social beings. We want people to like us, and we want to be helpful. We respond to things like Facebook and LinkedIn connection requests with little thought of the new friend's real intentions. This naiveté can open the door to allowing people to have too much information that can be used to gain your confidence. People need to be taught to verify before trusting. And it's not just with social networks, or email messages, but in person as well. That technician you just let in to fix the copy machine? He could be installing a rogue wireless access point that is going to intercept all the office's wireless communications.
* Tell people what they should do if they suspect a compromise or an active attack. Acting quickly can help limit damage. Give people explicit instructions about what to do if they experience or witness something suspicious. Workers should have documented steps to take in various scenarios. For example, if you've just opened an attachment and have an uneasy feeling about it containing malware, disconnect the computer from the network to keep malware from spreading. Call the help desk to have a technician check it out.
* Periodically test people. You need to confirm that people actually practice the cyber security you preach. Call it "pentesting for people." There are simple tools that let you send simulated phishing messages to workers to see if they bite, and that then deliver a remedial lesson if they do. Test not just the cyber aspect of your security program but also the social engineering aspect. Send a "technician" into a work area and see if anyone questions his credentials and validates that he is actually supposed to be there. Call workers and see if they give out too much information to the caller. The test results can show you where to beef up your awareness training.
* Be truthful and transparent with employees if an event occurs. Security events are going to happen. Some can stay under the radar, but others might see the light of day—especially if there are legal requirements to disclose a breach. Tell people what is happening and what they should do/not do and say/not say. In many cases, the company should restrict who talks to the public, and all other employees should be advised to defer questions to company spokespeople.
* Listen to workers' feedback. Observe and listen to how people respond to the need for cyber security. If policies make it hard for people to do their jobs, they'll develop workarounds that might be more dangerous. For example, if you require people to change their passwords every 30 days, they'll just get in the habit of writing down the current password. A sticky note with a password posted near the computer is an invitation to credential abuse. If it's a hassle to request access to SharePoint, people will use unauthorized cloud storage instead. Let your workers help you design policies and procedures that will be respected.
Even the Verizon 2015 Data Breach Investigations Report cites PEBKAC (Problem Exists Between the Keyboard and Chair) as a source for security lapses. With proper awareness training and meaningful input from workers, the PEBKAC gap can be closed.