Security & Policy Awareness

Security awareness

With all the different risks we face at a number of different layers—protocols, languages, and services on a day-in, day-out basis—it is funny to think that some of our most difficult challenges are educating and informing the organization's employees about security policies and practices to safe guard the company. I am sure that you just chuckled, and I bet you agree with me. Most employees feel that security is a waste of time and regret taking the effort to learn about it and become smarter workers. The truth is that security is everyone's job and we need everyone in the organization on our side.

There are two ways to stop black hats from doing bad things. The first tactic is tooling, but we will identify areas that we do not have tooling to help defend. So the only other way to deter a black hat is through the consequence itself. For example, some people may feel that surfing the Internet on the job is not a big deal. If we change and publicize the risk aspect of such a threat to a job-ending punishment, the likeliness that such behavior will happen will be diminished.

Policy awareness

We need to identify and ascertain whether people listen to and understand the current policies and procedures that pertain to security. At this point, we should understand what our tools are and what data we need to protect. We should also understand our policies to some level as well as what tools we have in place that render the policy irrelevant. In other words, if we have good tooling and plays with which to protect our applications, policy is not as important in terms of prevention.

The policy is obviously still important in the rare event that someone circumvents our control. The focus of our efforts should be around the areas of risk that lack protective tooling, for example, the likelihood of a social engineering attack. All companies are susceptible to this type of attack, and we need to understand how such an attack would affect the organization. A survey is one of the best ways to understand our current security posture with respect to the knowledge of our current employees. Tools such as great for understanding security policy. Obviously, the key to a successful survey is to garner upper management support in advance and offer incentives to employees to complete it. Some areas to consider include a focus on corporate values and policy feedback to determine what people truly understand about them. This approach will help us to understand the overall strengths and weaknesses of our corporate culture. We want to assess whether employees are generally ethical or not. We would ask questions that focus on simple, day-to-day operations, such as "How many times a day does you check your personal email?" Some questions may center on data policies, such as whether or not employees think it is a big deal to copy information from the organization for a charity event, or how likely it is for a supervisor to request information.