Breaking Down IT Security Awareness
By: Peter Lindley, security researcher, InfoSec Institute
It’s an accepted fundamental of IT Security: the weakest point is almost always the user. Most surveys and annual security reports will show that incidents caused by the user will represent the highest percentage by far of those reported or detected. And by the same token, the best “bang for your buck” for security incident prevention is invariably the security awareness program.
But what exactly is a security awareness program? What should it include?
I was once appointed to a recently-formed organisation as its IT Security Manager. I was tasked with implementing and managing an Information Security Management System (ISMS) for the new body.
A team of consultants had developed a number of IT security policies and security operating procedures (SyOps) as part of the ISMS prior to my appointment. These included a main overarching System Security Policy with various detailed policies specific to particular areas (for example, an incident reporting policy) supported by a number of SyOps, some of which were role specific.
A key requirement was clear: to embed the responsibilities and good practices included in the policies and procedures within the culture of the new organisation.
But how could this best be achieved?
In assessing this, it became clear that as well as considering the earlier question posed – as to what a security awareness program should include – it was equally important to ask what should not be included?
IT security policies and procedures tend not to be as readable as the latest Lee Child, Stephenie Meyer, E.L. James or Fyodor Dostoyevsky (delete as appropriate to your literary tastes!). You are unlikely to hear someone describe their Remote Access policy as “unputdownable”, for example.
IT Security policies tend to be turgid documents with a lot of detailed sections laced with technical jargon. This may be unavoidable to an extent – for example, to ensure compliance with appropriate standards and guidelines and to cover relevant legal requirements. The end result, however, is that most users are unlikely to ever read their IT Security Policy from beginning to end.
This was indeed the case with the policies and procedures I inherited. These included many long paragraphs devoted to – for example – the arrangements in place to manage cabling security, power utilities, etc.
So, I carried out an exercise to go through all of the policies and procedures and extract only the key points that would be relevant to all users in terms of their day-to-day work. This took some time, but at the end of this process I had identified a list of key requirements that could be organised into 3 broad areas: what the user ‘must not do’; what the user ‘must do’ and what the user ‘needs to be aware of’.
This set of key points would thus form the basis of the security awareness program.
So where to start?
It was fortunate for me that – as a new organisation established at a green field site – the project management team had arranged induction training for its new staff. I contacted the training team and managed to get their consent to the addition of a brief presentation on the IT Security policy which I would deliver as part of the induction course.
I developed a set of slides based on the key “dos” and “don’ts”, etc. mentioned above, highlighting key messages. I also drew up accompanying notes to help explain why the user needed to “do” something – or avoid doing something – clarifying the potential adverse impact to the organisation (or the individual member of staff) that might otherwise arise.
I also used this content to draw up a few pages covering the IT Security policy to be added to the induction pack which was issued to all attendees at the training.
For the presentations, I tried to keep things light, encouraged questions and avoided text-heavy slides.
Referring to topical incidents (of which there never seem to be a shortage) of course helps to focus minds on the potential impact when things go wrong. Although personally I always try to do so without resorting to the over-hyping of the threat landscape, which has tended to be the focus of so many of the presentations I have had to endure at conferences over the years. (Basically, the approach often seems to be: think of something nasty and stick “cyber” in front of it:”cyber-terrorism”, “cyber-assassination”. Then find some vaguely relevant but not particularly convincing or well-documented “incident” to shoehorn in as an example. What’s next? “Cyber-coup”? “Cyber-Armageddon”? “Cyber-Bad Hair Day”? Who knows? IT security threats are real and widespread enough without the need for the hyperbole and scare-mongering that often characterise presentations, particularly those aimed at marketing security tools or products. But I digress….).
Providing some advice and guidance that is also relevant for staff as regards to their personal home IT use also helps maintain interest and can be a “win-win” for both the staff member and the parent organisation. Promoting good practices around the use of social media would be a good example, in particular ensuring that staff are aware that they must not use their official work account password as the same password for their social media site. No hype is necessary to highlight the risk of the information held by the social media site being compromised and – in turn – exposing other official sites as a consequence. A number of well-documented examples are available.
One of the key benefits of delivering the security awareness presentations is not so much to do with the content but rather that staff can now put a face (and phone number and email address) to the name when it comes to their IT Security Manager. They will know who to contact if they have any concerns or need any guidance on IT Security issues and – most importantly and a key message in any security awareness program – to whom they should report any security incidents whether they be actual or suspected. This is a key factor that is generally missing from online training.
Another area I would include in security awareness training relates to the role of the line manager. Line managers are normally best placed to oversee staff compliance with security policy and procedures, and, for example, to ensure that any security incidents within their area of responsibility are reported. In the organisation for which I delivered the security awareness program, this responsibility was added to the formal job description of those with a line management role. I underlined this during the training presentations while making clear also my availability to provide advice and guidance and support when needed.
All new staff were (and are) obliged to attend the induction training, and “mop-up” sessions were arranged later for those unable to attend the initial sessions.
Feedback on the security training was obtained via questionnaires completed by the attendees, and this was very positive. The high number of phone calls and emails I received from staff seeking clarification in the days and weeks after the training presentations further confirmed their success. Plans for refresher training have also been agreed upon with the training team.
Of course, a security awareness program is more than just about training presentations, and I implemented a number of other measures to complement the training reminders.
One of the most important was the development of an IT Security area on the organisation’s Intranet.
For the basic structure of this area of the Intranet, I used the sets of ‘must dos’; ‘must not dos’, etc. referred to above. I also added sections covering specific areas such as guidance on the use of the Internet and email to reinforce key messages – for example, on the risks from links or attachments in emails from untrusted sources.
Another measure was put in place when I arranged with the chief executive that I would draw up regular email reminders summarising key messages from the security policy that would then be issued through him.
This helped reinforce commitment at the most senior level to the need to embed security policy compliance in the culture of the organisation. These emails included links to the security area of the Intranet to provide additional information and guidance and contact details for myself as IT security manager.
These reminders would be issued every six months – and on an ad-hoc basis in response to a particular incident or reported threat – and senior managers agreed to include the reminders as a fixed agenda item for their regular team or branch meetings.
Other items I used as part of the awareness program included posters with key IT security messages which were put up in the building elevators and other appropriate locations. I would also contribute IT security-themed articles to the organisation’s in-house magazine on an occasional basis.
Finally, I became aware that promotional materials were being developed to help market the new organisation and that these would include mouse mats with some key messages printed about the services that the new organisation would provide, and that these mouse mats would be issued to all staff in the organisation as well as its customers.
I managed to get agreement from the marketing team that a small section of the mouse mat would be set aside to allow me to add some security-related content. Given the limited space available, this had to focus on very brief but key messages related to, for example, password protection and using ‘Ctrl/Alt/Del’ to lock computers when unattended.
In summary: an awareness program is essential to help embed a culture of good practice in relation to information security within an organisation.
Identify what key messages from your security policies and procedures you want to communicate to staff as a starting point. Think about what you can exclude so that you avoid boring staff with stuff they don’t really need to know. Focus on what is essential to help staff comply with good security practice in their day-to-day work.
A useful approach is to list key “dos” and “don’ts”. These can form the foundation for a security awareness presentation, but be ready to explain the reasoning behind each requirement. Topical incidents are usually available to help illustrate this – without any need to resort to exaggerating the potential threat! Encourage staff to ask questions or to follow up any queries with you at a later date.
An Intranet security area can be developed to provide a useful repository of security guidance to help complement the awareness program.
Regular reminders regarding security policy and communications issued in response to current threats or incidents are also important. If these can be issued via senior management, this will help confirm their commitment to information security in the organisation.
The use of other media or promotional materials – posters, mouse mats, etc. – can also help reinforce key messages.