Second only to basic security defenses such as firewalls and complex passwords, user awareness is the most important security measure that your company can implement. It might sound trivial at first to say that user awareness is important to security but it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Not only does user education make the user aware of all the potential dangers of mobile computing, it also places a lot of the responsibility for corporate security onto the user. And that's a good thing.
Management can hang up all the inspirational posters and send out all of the "Five points to remember for safer computing" emails that they want and still have minimal impact on end user behavior. But a formal security course that requires participation and full attention is far more valuable to the company and to the user.
And I don't mean a course that is web-based or self-paced in any way. The course needs to be instructor led and participation required of each user. Yes, I know it's more expensive but how valuable is your data, your intellectual property and your time? I think that you'll find that it's money well spent.
If you don't believe that education works, ask a few questions of your users, such as:
- Do you understand security risks of using public Wi-Fi Hotspots?
- Do you know what malware is?
- Do you understand why it's important to not store company data on your personal cell phone or tablet?
- Could someone access your data if your computer/cell phone/tablet were stolen right now?
- Do you know why it's important to keep your computer or device updated with the latest patches?
You'd actually be surprised to know how many IT professionals don't know the correct answers. Training programs don't have to be expensive or extreme. In the simplest of cases, they can consist of a PowerPoint presentation with a list of scenarios, some statistics and Dos and Don'ts that matter to security.
At the end, I suggest using an exam to assess the effectiveness of the course. I also suggest a follow-up discussion to cover any confusing or unclear points. A refresher course every six months would also be a very good idea and it could be as minimal as a two-hour refresher, covering the high points and answering any questions that might have arisen during the discussion.
Users have to understand the risks of jailbreaking devices. They need to have training to avoid social engineering strategies and spear phishing schemes. Role playing or actual "pop" tests are a good method of testing your employee's stake in security. These pop tests could be as simple as an employee calling up the main desk and trying to convince someone in the company to give up a user account and password.
Another possibility is to hire someone who poses as a security consultant and see how far into the company he can get before someone stops him. Security consultants are very good at using these techniques to gain access to accounts, server rooms and documents.
My suggestions to begin a security awareness training session in your company are as follows:
- Hire a good security consultant to advise you through the process or to perform the training.
- Conduct instructor-led training classes twice per year.
- Conduct security refresher courses regularly.
- Perform "pop" tests to evaluate training.
Awareness is important to your overall security defense. Don't discount it. All the firewalls, antivirus software and electric fences won't keep the bad guys out if Bob in Accounting hands over his user account and password to a stranger.
Here are some links to information to get you started with your own security awareness training programs:
How does your company handle security awareness? Do you have a program? Has BYOD heightened your level of security training? Talk back and let me know.
Great Debate: Mobile security: What's the best defense?