At first glance, employees at an annual security awareness training seminar at Cisco Systems might believe that the short video they’ve been asked to view is one of those “Law and Order” episodes — “ripped from the headlines.”
The camera fixes on a handsome but callous prisoner who sits in a dark interrogation room and slowly confesses to police how his planned day of data thievery went completely awry.
His target? Executives at a busy conference, all a bit distracted as they conversed and traveled from meeting to meeting carrying notebook and handheld PCs as well as briefcases full of proprietary and sensitive corporate information. It was, the thief says, “the perfect setup.”
But in this “episode,” a cadre of surprisingly well-trained and quick-thinking employees foils his sophisticated effort to charm his way in and steal as much hardware and insider information as possible.
The story line in the video is, of course, fictional, but the scenario is plausible in a world where cybercriminals’ motivation derives from financial and political gain rather than mischief.
“Every employee of any organization is a potential target of an information thief,” says Mia Bradway Winter, Cisco’s security awareness program manager. “And we want our employees to realize that, yes, it’s a dangerous world out there, and that these are the kinds of things that can happen. But if they are aware of what the threats are and know how to react in a given situation, they can prevail.”
Major computer manufacturers and information technology security companies may have the latest and greatest in encryption, intrusion detection systems, personal firewalls, antivirus applications and other data protection must-haves, but they still recognize that human nature with its potential for fallacy and foible remains the chief security vulnerability. For this reason, developing effective internal security awareness and training programs is a top priority for even the biggest technology companies, and their experiences offer lessons that agencies can also adopt when developing and fine-tuning their training programs.
Security awareness programs succeed using many approaches, but the most effective have some common denominators, according to corporate officials. They are tied to the overall security policies of the organization but build on grass-roots support from within the organization; they are positive — even entertaining — in the way they teach and motivate; they are designed to meet the unique needs of different employee functions and communication styles; and they are ongoing and pervasive, rather than just one-time events.
“It’s important to remember that employees really do want to do the right thing,” says Lee Futch, product manager for educational services at Symantec. “And you can’t really hold them accountable until you’ve made them aware of the different threats that are out there and what they need to do to protect against them.”
Threats tend to exploit the human factor, says Tim McKnight, vice president and chief information security officer at Northrop Grumman Information Technology, citing phishing, social engineering, spear phishing and other attacks that trade on trust. “Obviously, we can’t take users out of the equation. The key is developing a program that can produce sustainable behavior change.”
Futch agrees, noting that technology is no panacea in today’s environment. “You can have the absolute best firewall in the world, but that won’t do you any good if somebody can talk the boss’s secretary into giving up his password,” Futch says. “Employee training in security is probably the best investment that an organization can make to help protect their information.”
Diffuse the Knowledge
Security and education officials at major technology corporations say that their approach has changed in recent years by focusing less on the technical nature of security and more on it as a bona fide business function.
That reality is one reason why John N. Stewart, Cisco’s CISO, decided to ask Winter, who spent her career in public relations, investor relations and internal communications positions, to lead the company’s new security awareness training program.
One of Winter’s first initiatives was the Cisco Security Champion Awards, which recognize employees who take the initiative to improve security within their own business unit. Security champions win money and other prizes, companywide recognition, a highly visible plaque that’s hung in the lobby at company headquarters and membership in a rarified security ambassador group.
“What we’re trying to do is to build a network of folks that we can rely on throughout the different regions, so we can provide content and messaging and they can take it further into the organization,” she says. “We want the security awareness program to go beyond the training and into the company where it has its own legs and arms.”
Stay in Their Face
Keeping security front and center and on the brain, so to speak, is a critical component of a successful awareness program, and just because employees and new hires go through a course and test successfully on their security knowledge doesn’t mean the job is complete, says McKnight.
“At the end of the day, the most important thing a company can do in the area of security awareness is ‘repeat, repeat, repeat,’ ” he says. “It is our job to make sure that we find as many opportunities and methods available to us to deliver the message.”
Computers across the country compromised by botnets, unbeknownst to their users.
Symantec, for example, offers regular Web-based refresher courses and routinely sends out short e-mail messages, either alerting staff to new threats or just communicating friendly reminders of good security practices. Cisco has come up with a number of simple, pithy security messages that are displayed around offices, on screen savers and on promotional items such as pens and name holders.
Still, says McKnight, organizations have to be careful about overcommunicating to the point that users lose interest. The key, he says, is to be as creative as possible. Many companies, including Northrop Grumman, use giveaways, interactive games and contests that test the security knowledge of employees. “These have been met with enthusiastic response,” he says.
Northrop Grumman has even extended its awareness and training into the communities where employees live, engaging with the local school systems to also teach their workers how to protect their children from Internet dangers.
Speak Positively; Carry a Big Stick
At the same time, it’s important to make sure that employees understand how easily security breaches can happen if users grow complacent.
John Lainhart, a partner and security, privacy and wireless service area leader for IBM Global Business Services, provides information security awareness training for federal agencies. He says one of the most effective things he does is to show rather than tell how security breaches can occur. He and his team have gone “dumpster diving” in front of a group of trainees and uncovered papers with user names and passwords written on them or walked unimpeded through the back door of a computer center used by employees during smoke breaks. “It’s a dramatic way to get their attention,” he says.
This type of approach also helps bring home to employees the dangers of the insider threat. People trust their colleagues, and that can make them more lax about security practices when they are inside their place of employment. People want to trust their colleagues, but in fact, he says, “a lot of them have the keys to the kingdom.”
Although a positive approach works best with employees, it’s important to at least let them know the negative consequences of their actions, says John O’Leary, director of education for the Computer Security Institute, which works closely with several high-tech companies on security awareness training. “A policy needs to have teeth if it’s going to be effective,” he says. “That’s a point that should be told at least once, although you probably shouldn’t dwell on it too much. Fear is not the most effective motivator.”
Do It Their Way
Getting the security message across effectively also requires a strong understanding of how employees learn — and learn differently — security officials say. Work responsibilities and security needs differ from CEOs to IT specialists to administrative assistants to telecommuters. Some employees prefer instructor-led seminar training, while others like multimedia and Web-based training that they can do in their spare time. Some like to go to a Web site for information; others prefer updates and information pushed out to them via e-mail.
“When you’re talking about reaching and impacting people, you’re talking about a lot of variables being involved,” Symantec’s Futch says. “You cannot approach this as a one-size-fits-all program and expect it to work. You’ve got to know who your employees are and how they like to consume information and really develop and evolve your program to meet those different needs.”
Done right, though, a security program can result in a workforce that is up to the challenge of thwarting attacks, says Cisco’s Winter. “If you get people on board and enthusiastic about helping the organization protect itself, then what happens is you start reaping this culture of security, and it just starts building its own momentum,” she says. “People take actions and help each other, and the behavior you were trying to create in people just becomes second nature to them.”