A recent article by The Register almost makes you feel bad for social networking sites. In addition to their existing reputation for wasting time and ruining the grammatical aptitude of teenagers everywhere, social networking sites are now being accused of creating serious security threats for organizations in the form of spam, phishing, and malware attacks (The Register).
Not that social networking sites are doing this on their own, mind you. They’re doing it with a little help from their friends: People.
It should come as no shock to any of us that the data risks brought about by social networking sites are due, once again, to inadequate security awareness training. According to the Register article, many non-technical employees are sharing too much information about their job or the organization they work for on social networking sites because they have not been properly trained in the area of security awareness.
While some of these users may have been ‘trained,’ in security awareness, it’s likely that the ‘training’ they received was inadequate for the increasing security risks that organizations face as attacks become more frequent and effective.
But the answer to solving these attacks isn’t to beef up our technology or create more flashy programs; the real answer lies in making the paltry security awareness ‘training’ that’s currently available worthwhile and effective for the individuals who take it.
I don’t know about you, but I would have to say that in my experience, security training isn’t the most exciting thing in the world. It’s also not the most frequent thing in the world, with most organizations offering security awareness training once a year to once every 6 months (if you’re lucky).
Whether we want to admit it or not, security awareness training is a comprehensive thing. It should be something that is interesting and useful to people, not just something that they sit through because of the catered lunch. You need to make security awareness a part of everyday life. And, as bad as it might sound, you need to teach people to be more careful, and, just a little paranoid.
Because when done right, good security awareness training is like the difference between a crash diet and learning to eat right—when done right, it’s something that becomes habitual. But if it’s something that’s a ‘quick fix,’ plan on a quick ending.
One of the worst things about the ‘quick fix’ approach to security awareness training is that it leaves organizations with a false sense of security. Because while they may have provided some ‘training’ to their employees, it doesn’t mean that it worked. Unless the people who attended the training came away with a good understanding of why security is important, the ‘training,’ didn’t do a thing.
So instead of just crash dieting your way to ‘perfect’ security, build a wide-ranging plan. Remind people about security awareness on a consistent basis. Put signs up in the lunchroom, or on cubicles… offer incentives that will motivate employees to keep their workstations malware-free. You can also have them sign up for the SANS newsletter, or send them applicable articles from publications like CNET.
If none of those suggestions float your boat, why not check out the NIST’s take on promoting effective security awareness, or the SANS guide to security awareness? The resources are available; now, all we have to do is use them.
But what’s your take on this? How can we promote security awareness that works both for companies (and their bottom line) and employees?