Security Corner

Jan 31 2010   10:41PM GMT

The No. 1 Mistake in Security: Failing to Educate Employees



Posted by: Ken Harthun
Tags:
employee education
Security
security awareness
Security policy
Security practice

Ask almost any infosec expert what is the biggest mistake in security and he or she will answer that it’s failing to educate employees. While certain professions that fall under HIPAA, GLBA and other legislation are required to implement security awareness programs, the vast majority of businesses are not required–and don’t provide–such education to their employees. Let me give you two actual examples from my own experience to illustrate how even a very simple program can make a big difference.

The Wrong Way–ABC Company didn’t even have a security policy in place much less do any kind of employee training. The management had the misguided idea that since they spent a lot of money on a firewall and anti-malware software on the servers and PCs, they didn’t need to concern themselves with any security risks. One fine Spring afternoon, the receptionist received a call from someone claiming to be from the local ISP who told her that her password had been compromised and asked her to visit a certain web site to change it. Not knowing any better, she happily complied and her computer was infected with a spambot that caused all kinds of trouble before I finally got it under control.

The Right Way–XYZ Company has a very simple, but effective, security policy in place. Employees are given a one-hour orientation on security when they are hired and the sessions are repeated on a bi-monthly basis. Each session starts with this basic statement of security policy: “XYZ Company prides itself on having a secure network and a safe working environment. The reason we do is because of you.” The rest of the session is devoted to explaining what to watch out for in terms of email phishing attempts and social engineering attacks and what to do about them. It’s kept simple all the way and in each session, the same information is repeated. It works; they’ve never had a serious security problem.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: