We’ve all read about how Security Awareness training is required and how it doesn’t seem to work too well. A recent study by the Ponemon Institute lends credence to the latter aspect and underscores the need for more stringent Data Loss Prevention policies and procedures in organizations. The study, released on June 10th and sponsored by IronKey surveyed 967 individuals across a broad spectrum of industries.
From the IronKey website:
- The majority of respondents admit to serious non-compliant workplace behaviors that place their companies at risk. Such behaviors include the insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings and more.
- According to the study, 69 percent of employees surveyed said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
- 61 percent admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
- Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
- 58 percent of the respondents said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
- Approximately half of the survey participants said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
- Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.
So, with these in mind, what is our take-away and what do we do to change this reality?
- Organizations must do more to educate employees and contractors about the critical value and essence of protecting corporate information, from the standpoint of compliance risk and cost, loss of public and client confidence in the organization, and support for the organization’s core values.
- Organizations must implement more effective and comprehensive Data Loss Prevention policies and procedures. USB sticks, while very handy, shouldn’t be allowed to connect to client computers unless there is a confirmed business need, e.g., conference presentations, corporate travel, work in conjunction with another tool like a laptop or notebook in the field, etc., It’s far too easy for employees to use USB sticks as neo-sneakernet technology for telework. Convenience must be trumped by Security here because the risks from device loss, data loss, and introduction of home-brought malware back to the organization are too great to ignore.
- Similarly, organizations must enact stringent endpoint controls, specifically user account rights, which prevent users from installing unauthorized software. Too many users run as Local Admin on their desktop or laptop computers. Establish a base operating system image for deployment across the organization,providing software tools to user groups via policy. For example, an organization can provide an image for Windows XP or Vista which includes Office as a base, then selectively through Group Policy, allow certain users or groups to use additional software on an as-needed or per-use basis.
- Endeavor to educate users about the costs of compliance breaches during security awareness training. Sharing organizational and industry-specific metrics about compliance cost can be eye-opening – Security Managers must do more to evangelize management about how expensive it is to be non-compliant. Perhaps, tying corporate bonuses and raises to compliance breach awareness might be beneficial ~ when users have a financial stake in the outcome, they tend to pay more attention…
- The overall problem is getting worse and people are complacent. Make security policies easier to understand by employees and friendlier to teach. Seek out new and innovative ways to teach security awareness, for example, teach employees about the home vacation security guide by ISECOM and about how to keep their children safe online ~ in other words, make security awareness PERSONAL! This consciousness-raising will transfer to the workplace if done correctly and compassionately. Teach employees how to protect themselves and how to protect you, because you are their ‘bread & butter’.
There are a variety of security awareness training resources online; here are a few to consider:
- Security Awareness training basics from the Integrated Site Security for Grids organization (ISSEG).
- NIST SP800-16 – Information Security Training Requirements: A Role- and Performance-Based Model (Draft)
- ISC2 blog comments on the NIST SP800-16 standard – very good!
As security managers and practitioners, the gauntlet has been thrown down! It’s up to us to raise awareness by management and help find new methods of providing security awareness training, ways that increase the stickiness of the subject across the audience spectrum. We know we have to speak ‘business’ to management to help them understand why security is important, essential, and a cost-saver, not just a cost-center; now we have to find ways to do the same with awareness training, making it far more than just ‘checking the box’ each year.