IT security awareness

What’s your biggest security problem? Is it Exchange/Outlook? Internet Information Server? Windows scripting? Actually, if you think about it, it’s none of those. Your biggest security problem is the people using your network.

Users – and that includes your own staff, maybe even you, yourself – are notoriously the weakest link in any security strategy. It’s well known that ease-of-use and security are almost diametrically opposed – even Bill Gates acknowledged this in the now famous Trustworthy Computing memorandum. But it’s not just the ease-of-use culture in Redmond that presents problems. Just walk around and see what your users are doing.

As just one example, how many monitors have stickies with hand-written passwords stuck on them? How many people print out every e-mail they receive and leave them on desks or simply throw them into wastebaskets where they can be retrieved by anyone? How many users log on to the network, attach to protected resources and then walk down the hall to get a cup of coffee?

What you need, my friend, is an IT Security Awareness Training Program. Step right up and I’ll tell you how to get one. Free. Gratis. Courtesy of the U.S. of A. government.

The government’s National Institute of Standards and Technology (NIST) runs the Computer Security Resource Center (CSRC). (The center also provides a helpful guide to the abbreviations and acronyms that the government is so fond of – see: https://csrc.nist.gov/acroymn.html)

The CSRC is preparing a guidebook, called “Building an Information Technology Security Awareness and Training Program.” (https://csrc.nist.gov/publications/drafts/SP800-50-version2Draft.pdf) This publication will provide detailed guidance on designing, developing, implementing, and maintaining an awareness and training program. While it’s intended for use within government agencies’ IT departments, it can be very useful to anyone interested in raising their users’ awareness of security issues.

Note that this document is still in draft, not final, form. Nevertheless it can serve as a very useful guideline to good security practice as well as a comparison and check for the training programs you already have in place. As the guidebook states, “A strong IT security program cannot be put in place without significant attention given to training agency employees on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources.”  Technology, by itself, won’t make you secure. As the document states: “…security of agency resources is as much a human issue as it is a technology issue.”

This 50-page document covers everything from identifying the need (it covers “roles and responsibilities” of everyone from the CEO on down to the part-time worker), specifying the content of training, suggesting the methods of training all the way up to ways to reinforce the message after training is finished. If you have a security awareness program in place, this makes a good comparison to see what you might be overlooking. If you don’t have one, you need to read this document right now.