I just read the following story regarding IT security: issued the results of a survey that found--you guessed it-end-users, and "their unwillingness to follow good security practices is the primary barrier to improving protection against malicious code." (http://weblog.infoworld.com/techwatch/archives/004141.html)
"The weakest security link: Users."
issued the results of a survey that found--you guessed it-end-users,
and "their unwillingness to follow good security practices is the
primary barrier to improving protection against malicious code."
Clearly this news comes as no surprise to most of
you that are practicing IT professionals. The biggest question
surrounding this issue is not that users are the weakest link, but how
to deal with it. Definitely a tough issue to deal with or we would havesolved it already right?
Like many complex problems, the solution is
multifaceted and includes technological and nontechnological
components. Our first steps in combating user unwillingness to follow
security practices fall in the nontech side and involvechanging/shaping behavior.
I. Rules and Regulations:
In order to move noncompliance from just an organizational social
phenomenon to one of actual consequence, we have to have our security
practices codified in the form of "official policy and
procedure"--preferably in the organizational policies and procedure,not just departmental rules and regulations.
By doing so, we hopefully are conveying to the
organization that we are serious about security and that violations do
have consequences. However, this is easier said than done. It involves
convincing senior management that information systems security is
important enough to discipline employees over and more importantly,
that the rules are important enough to enforce. It's possible to write
volumes on just this aspect, but let it suffice to say that this step
is not the place to skimp on research and details and the more well
thought out and articulated the policies the better. Also, yourgovernance body can play a huge role in the formulation of policy.
II. Training: It is not enough to get the rules on paper; they must be articulated in such a fashion as to let employees know why security
practices are important as well as the consequences to both them AND
the organization of not following them. A great place to start is by
catching the employee as they enter the organization. They have yet to
be indoctrinated into bad habits by coworkers and tend to be more open
to organizational messages than they are later on. So have someone from
IT be part of new employee orientation or make sure that whoever is
charged with the orientation can deliver your message in an effectiveway.
We cant forget current employees in our training.
We need to find ways to train existing users on the importance of good
security practices. Whether this is through HR-sponsored internal
training, brown bag lunch and learns, or some other method, the
training needs to be made available frequently and the content keptfresh.
This is your propaganda campaign. You are running one aren't you? Just
like in WWII with "Loose Lips, Sink Ships," you need to get the message
out in a variety of ways. Come up with a slogan and plaster it wherever
and whenever you can. Start up messages, e-mails, on the company
intranet, e-mail signature lines, posters, mouse pads, contests, the
limit is your imagination. Keep the messages regarding good security
practices in front of employees as much as possible. It will begin to
sink in and soon peer pressure among employees will aid in policingyour policies.
One idea is to publicize compliance by having a
very visible scorecard on the intranet that shows violations by
department or by showing how many days have passed since a violation in
a particular area such as: "HR has been 128 days without a security
violation." Of course this has to be coupled with random audits by
staff who can use minor infractions as learning episodes by issuing
"warnings" and of course, keeping records. This can be done in a way
that you are taken seriously without getting the reputation of theGestapo.
Assuming you have clear rules, regulations and consequences created as
part of step I, you must be proactive and consistent with enforcement.
In many organizations this means having those difficult battles with
other managers that get escalated to senior management because they
(the other manager/s) have a "star" performer who feels they can ignore
rules and regs that inconvenience them. You must be prepared to invest
the time in these seemingly "minor" infractions because of the
precedent they set, and the message they convey. Major violations are
usually a breeze and few managers will protest the enforcement of those
rules and regulations on any employee. For example, it's hard to defend
anyone for viewing porn in the office, and it's usually a one-wayticket out of the organization.
As mentioned above, there is an ever increasing
array of technology-based tools that aid in enforcing--or better
yet--taking most of the security practices out of the users' hands.
From firewalls, antivirus software, Web filtering and tracking, to
keystroke logging, spam filters, and routing rules, there are seemingly
dozens of new tools being created everyday. I have written about some
of these in previous blogs and articles, and you will find that, in
general, I prefer tools that prevent infractions rather than justreport infractions.
None of the components listed above can work alone
to solve the problem of users who are unwilling to follow security
practices. Together though, they can go a long way in reducing securityvulnerability due to our users.
Keep up with the issues and challenges that
uniquely affect public-sector IT with TechRepublic's free Government ITnewsletter, delivered each Tuesday. Automatically sign up today!