Security Risks Due To Social Networking Sites Show The Need for Better Security Awareness

A recent article by The Register almost makes you feel bad for social networking sites. In addition to their existing reputation for wasting time and ruining the grammatical aptitude of teenagers everywhere, social networking sites are now being accused of creating serious security threats for organizations in the form of spam, phishing, and malware attacks (The Register).

Not that social networking sites are doing this on their own, mind you. They’re doing it with a little help from their friends: People.

It should come as no shock to any of us that the data risks brought about by social networking sites are due, once again, to inadequate security awareness training. According to the Register article, many non-technical employees are sharing too much information about their job or the organization they work for on social networking sites because they have not been properly trained in the area of security awareness.

While some of these users may have been ‘trained,’ in security awareness, it’s likely that the ‘training’ they received was inadequate for the increasing security risks that organizations face as attacks become more frequent and effective.

But the answer to solving these attacks isn’t to beef up our technology or create more flashy programs; the real answer lies in making the paltry security awareness ‘training’ that’s currently available worthwhile and effective for the individuals who take it.

I don’t know about you, but I would have to say that in my experience, security training isn’t the most exciting thing in the world. It’s also not the most frequent thing in the world, with most organizations offering security awareness training once a year to once every 6 months (if you’re lucky).

Whether we want to admit it or not, security awareness training is a comprehensive thing. It should be something that is interesting and useful to people, not just something that they sit through because of the catered lunch. You need to make security awareness a part of everyday life. And, as bad as it might sound, you need to teach people to be more careful, and, just a little paranoid.

Because when done right, good security awareness training is like the difference between a crash diet and learning to eat right—when done right, it’s something that becomes habitual. But if it’s something that’s a ‘quick fix,’ plan on a quick ending.

One of the worst things about the ‘quick fix’ approach to security awareness training is that it leaves organizations with a false sense of security. Because while they may have provided some ‘training’ to their employees, it doesn’t mean that it worked. Unless the people who attended the training came away with a good understanding of why security is important, the ‘training,’ didn’t do a thing.

So instead of just crash dieting your way to ‘perfect’ security, build a wide-ranging plan. Remind people about security awareness on a consistent basis. Put signs up in the lunchroom, or on cubicles… offer incentives that will motivate employees to keep their workstations malware-free. You can also have them sign up for the SANS newsletter, or send them applicable articles from publications like CNET.

If none of those suggestions float your boat, why not check out the NIST’s take on promoting effective security awareness, or the SANS guide to security awareness? The resources are available; now, all we have to do is use them.

But what’s your take on this? How can we promote security awareness that works both for companies (and their bottom line) and employees?


Do you have your pass to SANSFIRE yet? If not, why not purchase it through NovaInfosecPortal? It doesn’t cost you anything extra, and it helps us keep the site going.

3 comments for “Security Risks Due To Social Networking Sites Show The Need for Better Security Awareness

  1. April 29, 2009 at 2:23 pm

    The problem with security awareness training is that it’s really hard to effectively communicate a message. How hard? The advertising industry is built on trying to get even simpler concepts across and is only haphazardly effective. My intention is not to say security awareness shouldn’t be done. What I intend to say is we need to recognize the limitations of what can be accomplished.

    Instead of trying to communicate complete organizational policies and policy details we should communicate the high concepts then reinforce with effective repetition. Don’t say the same thing multiple times, communicate the idea through different channels in slightly varied messages. Reinforce and reward understand and behavior. Avoid the broadcast and repeat mentality. Enculturate, don’t intimidate.

    Two other NIST resources are the draft version of SP 800-16 Revision 1, Information Security Training Requirements: A Role- and Performance-Based Model:

    and the Federal Information Systems Security Educators’ Association:

  2. grecs
    April 29, 2009 at 2:55 pm

    Yes agreed … communication is the hardest part.

    Thanks for breaking down what I was referring to as “consistent basis.” Much better said!

    I’ll have to take a look at the additional references you provided. Thanks for passing those along.

  3. Pingback: URL

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.