Ask almost any infosec expert what is the biggest mistake in security and he or she will answer that it’s failing to educate employees. While certain professions that fall under HIPAA, GLBA and other legislation are required to implement security awareness programs, the vast majority of businesses are not required–and don’t provide–such education to their employees. Let me give you two actual examples from my own experience to illustrate how even a very simple program can make a big difference.
The Wrong Way–ABC Company didn’t even have a security policy in place much less do any kind of employee training. The management had the misguided idea that since they spent a lot of money on a firewall and anti-malware software on the servers and PCs, they didn’t need to concern themselves with any security risks. One fine Spring afternoon, the receptionist received a call from someone claiming to be from the local ISP who told her that her password had been compromised and asked her to visit a certain web site to change it. Not knowing any better, she happily complied and her computer was infected with a spambot that caused all kinds of trouble before I finally got it under control.
The Right Way–XYZ Company has a very simple, but effective, security policy in place. Employees are given a one-hour orientation on security when they are hired and the sessions are repeated on a bi-monthly basis. Each session starts with this basic statement of security policy: “XYZ Company prides itself on having a secure network and a safe working environment. The reason we do is because of you.” The rest of the session is devoted to explaining what to watch out for in terms of email phishing attempts and social engineering attacks and what to do about them. It’s kept simple all the way and in each session, the same information is repeated. It works; they’ve never had a serious security problem.