General discussion


Raising Users' Awareness

By cfalsetta ·
I have just been charged with the task of increasing our users' security awareness, and with finding a way to get the user community to understand their responsibility in keeping the network secure... a project long overdue. I am curious as to what other IT Security folks have found to be an effective means of communication. We post alerts regarding the latest and greatest in scams and viruses on our website, and Corporate-wide publications... but that doesn't reach the masses. We are a huge, global organization and I fully understand the requirement to incorporate several methods. I am looking for creative suggestions... something to pique the curiosity of the otherwise disinterested, at the same time encouraging their participation to be part of the solution as opposed to being part of the overall problem. Ideas anyone?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by DC_GUY In reply to Raising Users' Awareness

I was a data security officer many years ago. A lot has changed since then, but a lot hasn't. You have two basic problems: Users don't feel that computer security is an important issue to them, and users are resistant to anything that causes them more work or inconvenience.

As an example, just getting people to stop writing their password on a stickynote and pasting it on the side of their monitor was an almost insurmountable problem in the old days, and it's still with us. Especially since we now require passwords that are harder to remember and require changing frequently.

You have to make security measures as easy as possible for the users, and you also have to get them to believe that security is important. If you've had a virus or Trojan horse attack in your company, that will help with the latter. As for the former, sometimes you have to bite the bullet and compromise. It's far better to have B-minus security procedures that everyone follows than to have A-plus procedures that half the staff ignores.

An invaluable aid to selling security is personal contact. I went around and gave security presentations to thousands of our end-users. I injected a lot of humor and patiently answered all their questions and promised to take their concerns back to management if they had a genuine problem. It's salesmanship -- getting people to like you and trust you and want to please you.

As for getting buy-in from the people too distant to see personally, that's a tough one. I don't know how your company is organized, but most IT shops consider computer security to be such a serious issue that they have a member of the computer security staff at every major location.

Perhaps your people are distributed too thinly to make that practical -- working from home or in offices with only four or five people. Even then, it's worth the expense to put on a "road show" and personally travel around and talk to as many of them as possible.

If not, then the way to go is what you're doing: bulletins and daily spams and articles in the company magazine and everything you can think of. Be sure and follow all the rules of good writing: make it personal, make it positive, make it a little humorous, don't scold anybody. But really, computer security is a little too important to delegate to the newsletter editor. If you're serious about it, the computer security staff (which should be rather large if your company is as big as you describe) ought to have a big travel budget.

I don't know what kind of software you're running on your network, whether you're stuck with a Windows architecture because you have too much invested. If not, the best way reduce your virus, worm, and Trojan horse exposure by 99 percent is to start replacing those PCs with Macs.

Collapse -

Thank you DC_GUY....

by cfalsetta In reply to

I appreciate your time in responding to my plea for ideas. By the sounds of things, you were quite the awesome DS Officer! You have made excellent points with which I completely agree. The personal touch, the inclusion of humor where appropriate, etc. All of that is right up my alley (smile). I am just now working on putting together a game plan... incentives, printed material (simple, somewhat entertaining, yet still effective), frequency, etc. It's a healthy challenge considering the volume of folks to reach (right around 10,000).

I spent several years, a few years back, traveling to some of our International affiliates and providing training to their IT folks (train the trainer). It was an incredible, and quite valuable, experience! However, I don't see that I will be shipped from country to country again in the near future... but you never know! For now, we need to focus on those users within reach (comparatively).

Well, again, I thank you for your time DC_GUY... If anything else comes to you, be sure to let me know. ...and have a great day!

Collapse -

Speaking as a end user

by philospher In reply to Thank you DC_GUY....

I believe that's essential to get the end users on board with secuirty. Shutting them out only increases their defiance. I work in retail and the IT department treats us like wer're the enemy. The system is so "locked down" it's almost useless. The general feeling is one of resentment. A good compromise would be to have "local admins or "power users" to be able to do things that need to done without going through the levels of management.

Collapse -

Speaking as an IT professional ...

by -Ec In reply to Speaking as a end user

The problem with most end users is they THINK they know more than they do - and seem to believe a work computer is "theirs". Does your employer allow you to service company vehicles? Can you repaint them because you don't like the colour? or modify them in any other way? If you are lucky enought to be supplied with a company vehicle would you leave it in the carpark with the keys in the ignition? No!- then why is your employer's computer placed on your empoyer's desk for you to use any different? A computer is a tool to help you perform your job - nothing more.

IT staff do sometimes feel computer users are the enemy because when you install some flash new sceensaver and end up taking trashing a PC - or worse, they are are the ones who have to drop everything and fix it - often working long hours without any extra pay until everything is operational again.

Staff buy in for security is esencial - but at the end of the day your management sets the rules, if you don't like them you know where the door is ......

Collapse -

middle management

by apotheon In reply to Thank you DC_GUY....

Critical to the task will be getting managers on-board with the effort. Do this by making them feel more integral to the task: put middle management on an "exclusive" mailing list outlining "important concerns" that will make them feel more involved, and in those emails you send make sure you delegate some of your work to them by having them pass on and enforce security procedures. Make sure that upper management keeps an eye out for the compliance of middle managers, too. IT can't police everyone in the organization, so you've got to have management doing a lot of your work for you.

It's not just about getting the end user to care through gimmicks and personal attention. You don't have enough personal attention to go around, and not everyone will care. You have to ensure that management makes your policy their policy. They're the people the end users are, ultimately, going to listen to, if only because they'll want to keep their jobs.

Collapse -

Client Awareness

by DSC In reply to Raising Users' Awareness

In large organizations it is hard to establish a method to raise each individuals participation. However, I should be understood by every user of a companies computer system, that they must abide by a computer or network usage policy and they computers will be audited for misuse. That not only sparks their interest, but establishes a legal foundation to act upon. After all, the user is generally 80% of the networks weakest link. All it takes is one person in the right place to have "Subseven Server/client" software to expose a real threat to the network security. Awareness should also be given on P2P software such as Napster and such.

Related Discussions

Related Forums