A guide to enforcing security practices
I just read this story on Infoworld: "The weakest security link: Users."
INS issued the results of a survey that found--you guessed it-end-users, and "their unwillingness to follow good security practices is the primary barrier to improving protection against malicious code."
(See also "Does IT create risky behavior?")
Clearly this news comes as no surprise to practicing IT professionals. The biggest question surrounding this issue is not that users are the weakest link, but how to deal with it. Definitely a tough issue to deal with, or we would have solved it already, right?
Like many complex problems, the solution is multifaceted and includes technological and nontechnological components. Our first steps in combating user unwillingness to follow security practices fall on the non-technical side and involve changing/shaping behavior.
I. Rules and Regulations: In order to move noncompliance from just an organizational social phenomenon to one of actual consequence, we have to codify our security procedures in the form of "official policy and procedure" -- preferably in the organizational policies and procedures, not just departmental rules and regulations.
By doing so, we hopefully are conveying to the organization that we are serious about security and that violations do have consequences; however, this is easier said than done. It involves convincing senior management that information systems security rules are important enough to enforce, through disciplinary action if necessary. I could write volumes on just this aspect, but let me just say that this step is not the place to skimp on research and details. The better thought-out and articulated the policies the better. Also, your governance body can play a huge role in the formulation of policy.
II. Training: It is not enough to get the rules on paper; they must be articulated so that employees know why security practices are important, as well as the consequences to both them and the organization of not following them. A great place to start is by catching the employee as they enter the organization. They have yet to be indoctrinated into bad habits by coworkers and tend to be more open to organizational messages than they are later on. So include IT in new employee orientations, or at least train whoever is giving orientations in the security policies.
We can’t forget current employees in our training. We need to find ways to train existing users on the importance of good security practices. Whether this is through HR-sponsored internal training, brown bag lunch-and-learns or some other method, the training needs to be made available frequently and the content kept fresh.
III. Communication: This is your propaganda campaign. You are running one, aren't you? Just like in WWII, you need to get your message out in a variety of ways. Come up with a slogan and plaster it wherever and whenever you can. Start up messages, emails, on the company intranet, email signature lines, posters, mouse pads, contests, the limit is your imagination. Keep the messages regarding good security practices in front of employees as much as possible. It will begin to sink in and soon peer pressure among employees will aid in policing your policies.
One idea is to publicize compliance by having a very visible scorecard on the intranet that shows violations by department or by showing how many days have passed since a violation in a particular area – such as: "HR has been 128 days without a security violation." Of course this has to be coupled with random audits by staff who can use minor infractions as learning episodes by issuing "warnings," and of course, keeping records. This can be done in a way that you are taken seriously without getting the reputation of the Gestapo.
IV. Enforcement: Assuming you have clear rules, regulations and consequences, you must be proactive and consistent with enforcement. In many organizations this means having some difficult battles with other managers that may get escalated to senior management, often because other managers have a "star" performer who feels he or she can ignore rules and regulations. You must be prepared to invest time in these seemingly "minor" infractions because of the precedent they set and the message they convey. Major violations are usually a breeze and few managers will protest the enforcement of those rules and regulations on any employee. For example, it's hard to defend anyone for viewing porn in the office, and it's usually a one-way ticket out of the organization.
As mentioned above, there is an ever increasing array of technology-based tools that aid in enforcing--or better yet--taking most of the security practices out of the users' hands. From firewalls, antivirus software, Web filtering and tracking, to keystroke logging, spam filters, and routing rules, there are seemingly dozens of new tools being created everyday. I have written about some of these in previous blogs and articles, and you will find that, in general, I prefer tools that prevent infractions rather than just report infractions.
None of the components listed above can work alone to solve the problem of users who are unwilling to follow security practices. Together though, they can go a long way in reducing security vulnerability due to our users.