Installing the latest security hardware and software means nothing if end users don't practice cyber safety. And the best way to get end users to "think security" is to create an ongoing culture of security at your company.
"Security awareness isn't one of those things that organisations do for fun. It's 24/7 and accountability starts with the CEO and is pushed to all corners of the organisation," says Larry Ponemon, founder of the Ponemon Institute, a privacy and data protection research firm in Michigan.
The stakes are high and getting higher all the time. In January, the Identity Theft Resource Center (ITRC) reported that the number of data breaches in 2008 increased 47% compared to 2007. The organisation also reported that 35.2% of breaches were due to human error.
And Ponemon recently released a study showing that the average cost of a data breach grew to US$202 (NZ$349) per record compromised in 2008, up from $197 per record in 2007. And the average security event cost individual companies $6.6 million per breach in 2008, up from $6.43 million in 2007 and $4.7 million in 2006.
Worse, security breaches result in a loss of consumer confidence, which translates into customers taking their business elsewhere.
So, what are the keys to a successful security awareness programme? Creating a culture of security starts at the top, includes individuals from all departments and groups, is based on pre-determined policy and subsequent controls, is consistently revisited and updated, and is practiced daily.
Security is Job One
Computer security is a fast moving target. Today there are more threats, more vulnerabilities, more portable storage devices, and there's increased mobility. There's also less of a wall between one's personal life and work life. The things to protect and protect against are changing.
That means educating end users about security is more difficult, demanding and necessary than ever before.
"Today, users are more aware of existing threats, but threats are more sophisticated and they migrate faster," says Max Reissmueller, senior manager of IT infrastructure and operations at Pioneer Electronics in California.
Reissmueller is responsible for end user security awareness for roughly 1,600 employees at about 15 locations in North America. Pioneer Electronics has a formal security review board that updates policy annually and disseminates changes to end users.
But one major problem when it comes to end-user training is that security is not the end user's primary job. "The end user doesn't do security for a living so their focus isn't on how to keep the company secure, it's how to best do their job," Reissmueller says.
In fact, industry experts agree that social engineering makes it difficult for enterprises to keep up with the rapidly changing vulnerability landscape. You can't expect end users to be security experts, but you can teach them how to notice when something looks suspicious, and who to call when a security-related issue arises.
Another key is to put security awareness in the larger context of protecting company assets, company revenue and the company's reputation. "Policy is often written with little or no consultation. End users get emails to be aware about threats, but there's no context," says Sam Curry, vice president, product management and strategy at RSA, the security division of Massachusetts-based EMC.
Not only does Curry believe that creating a culture of security requires the involvement of all the organisation's departments and groups, but that it's paramount that users understand why their actions create a risk for the organisation.
What happens when security risk isn't put in context for end users? According to RSA's 2008 Insider Threat Survey, "People will do as they will, regardless of awareness of best security practices."
The survey, which polled 417 people from North America and Latin America, found that 94% were familiar with their organisation's IT security policies, yet 53% have felt the need to work around IT security in order to get their work done.
Pioneer's Reissmueller says there's security compliance and there's security awareness, and they're not the same thing. Security awareness is not a check-box item. It's also not a one-time or even two-times-a-year event.
Security awareness must be ongoing, "to keep the knowledge fresh and real in the mind of the end user," he says.
The training often begins by working to get end users to really understand why security awareness is necessary.
"Organisations want users to internalise the problem. They want employees to do the right thing because it's the right thing to do, not because you're watching them," says Mark Rasch, a Maryland attorney specialising in computer security and regulatory compliance. Rasch was also the former head of the US Department of Justice computer crime unit.
A common component of security awareness training is a DVD, video or web-based module. Companies also require that all employees read and sign internet and acceptable-use policy and security policy documents.
"Policy must also reflect the culture of the company and its values," Rasch says. Furthermore, policy must be enforced with training. "The longer an organisation goes without training, the greater the divergence between the written one [policy] and the unwritten one, or the one users are following," he adds.
Many organisations offer security awareness training. For example, SCIPP International, a global non-profit organisation Virginia offers security awareness certification for individuals and organisations.
In 2005, New York State developed an antiphishing exercise in conjunction with The Anti-Phishing Working Group, AT&T and the SANS Institute. The exercise involved 10,000 employees, who were unaware they were participating in a security exercise.
In the exercise, 15% of employees fell prey to a phishing scheme. After the results were tallied, these individuals got a message informing them that they had fallen for a phishing email and directing them to a brief tutorial on how to be more aware of phishing scams.
The organisation launched a different online exercise to the same employee population two months later and saw a 50% improvement. Users who failed the second exercise were asked to participate in a feedback survey to determine why they took the action they did.
The goal of the exercise was to understand how well the state communicates and how well users learn, according to William Pelgrin, chief cybersecurity officer and director, NYS Office of Cyber Security & Critical Infrastructure Coordination, Albany, New York.
"Just telling people that phishing is out there isn't very effective. It's better for users to have a tactile interactive experience," he says.
Some low-level activities that organisations use to create a security conscious end user is display posters, run banners on the company's intranet, host a computer awareness day and distribute security training material.
An additional training tool is to run mock scenarios to reinforce what to look for, what action to take and who to contact. "The user has to know, this is what you have to do and why you have to do it," Rasch says.
It's also important for organisation's to provide role-based training for individuals with specific jobs and responsibilities, says Mark Wilson, IT specialist, information security with NIST Computer Security Division,in Maryland.
Reissmueller takes a multi-pronged approach to security-awareness, which includes penetration testing, because he finds that policy and education alone aren't enough.
"The goal is to make security awareness a partnership between the end user and the business, something they do without realising they're thinking about it," he says.