Secure the people

21.03.2005
Von Mark Hall

When you and your company"s chief security officer sit down to plot the budget for protecting the corporate WANs and LANs, servers and desktops, laptops and other mobile devices, there"s a lot to discuss. Should you invest in better firewalls or intrusion-prevention systems? Additional antivirus technologies? Maybe some fancy new endpoint security software?

Or maybe, just maybe, you ought to invest the lion"s share of your IT security budget in the single biggest and most glaring security hole in your entire organization: your end users. If you did that, you"d be protecting your pricey IT infrastructure and the priceless information it contains better than all the other technology combined.

The Ernst & Young Global Information Security Survey last year revealed that end-user security training was the No. 1 problem inside large organizations. Yet less than half of the respondents said their companies had a formal training program to meet that threat.

How stupid is that?

Most companies feel that they"ve trained workers if they"ve sent them an e-mail with a list of do"s and don"ts. Some include a five-minute bit of slideware as part of new-employee orientation. Neither approach is worth much. You might as well tell workers, "We just don"t care that much about IT security. Do whatever you want."

Martin Bean, chief operating officer at New Horizons Computer Learning Centers, says companies "only pay lip service" to end-user security training. And, he adds, when he talks to the boards of directors at major companies about securing their IT infrastructures, "the toughest part of the conversation is about the need to retrain every single employee" to be secure computer users.

I know that IT likes to believe that all problems created by technology can be solved with more technology. In many cases, sad to say, it"s true. But not this time. Technology is a small part of the security solution. People are the big part.

Before workers are given computers and passwords, they should be given at least a half-day, if not a full-day, tutorial about the ins and outs of secure computing practices as defined by your IT department. Dedicating precious time and resources to such a learning experience tells new workers (and existing ones) that you are very serious about IT security procedures. It"s not lip service.

In those sessions, employees should learn about everything from phishing to the proper use of passwords. What"s more, they ought to be told about the consequences of failing to be security-conscious corporate citizens.

That"s right: consequences.

If workers flaunt security procedures, they should be punished. Although a network security administrator might think a firing squad is a worthy punishment, it"s unlikely that the HR bigwigs will go along with the idea. But they might agree to some well-conceived consequences for a person"s documented failures to keep your company"s IT assets safe, such as writing passwords on Post-it notes and sticking them on monitors. I think the loss of one day of vacation for every security violation after the first breach seems fair. And it will get workers" attention. No one likes to lose vacation time. Once any employee has lost a week of vacation time, the next transgression should mean job termination.

The standard whine from end users about, say, complex passwords is, "It"s too hard to remember the password. It"s got numbers and characters in it." Of course it"s difficult. That"s the point. And, yes, you need to write it down. But you can put it in a safe place like maybe your wallet. You put money and credit cards inside a wallet, so presumably you try to keep it safe. You carry a wallet in your pocket or purse. If you think it"s too difficult for you to open your wallet, well, maybe a firing squad is in order.

I also think workers should be rewarded for keeping a company secure. For example, if the company goes a full year without getting infected by a virus, everyone gets an extra vacation day in the next calendar year.

My point here is that there"s far too much emphasis placed on technology to solve a problem that"s often controlled by individuals. You need to push your company from the CEO on down to redirect resources to train and retrain employees on their critical responsibility to maintain the security of your company"s IT operations. If they"re not involved, you"re fighting a losing battle.