Skip to main content

Security Awareness

According to the University of Sheffield, University Wire magazine, "Often in an organization, the weakest link is not the software on the systems or the hardware that makes it up; the weakest link is the individual." This thought seems to be the trend proliferating throughout modern organizations. Security awareness is measured as the degree at which the employee understands and acknowledges the necessity and importance of information security according to (Kruger & Kearney, 2006).   The purpose of security awareness is to ensure that an organizations information security policy is adhered to. It enables employees to appreciate and consciously follow outlined adopted best practices and procedures of the organization. Security awareness should stem from C-level decision makers who should know how important and vital security awareness is for return on investment and longevity of an organization. This thinking should trickle down to entry level of the organization and in addition, the behavior of external parties that interact with the organization should also be influenced.
In addition, employees should be aware that cyber security is not an IT department function but is integrated throughout the organization where everyone is responsible for their actions that can lead to security breaches. Even with an information security policy that follows the best practices, procedures, standards and complies with regulation and laws the employee is the weakest link if their degree of awareness is low (Bulgurcu, Cavusoglu, & Benbasat, 2010). Security awareness ensures that a company maintains in reputable profile, competitiveness in today’s modern world. Employees should be made mindful that their daily habits and actions directly affects the health of an organization. Even with the state of the art security program and resources, a single act of negligence can lead to total collapse of an organization in today’s world. (Chan, Woon, & Kankanhalli, 2005) Awareness in the workplace is identified as the most important factor in conforming to an information security policy. Employees in many cases are unaware of how their actions can contribute to a breach in security.
The following is a journal of incidents that can occur in any organization that can incur serious repercussions for the longevity, survivability and competitiveness of a business; use of organizational laptops at home, improper segmentation of student labs from staff network access, reuse of passwords for multiple servers, unsafe storing of documentation, opening of email attachments from unknown sources, inadequate information security orientation for new staff members, improper storage of access control key fobs, inadequate assessment of third party code libraries, insufficient testing and evaluation code, improper access management to key work spaces and poor network access management of external equipment and devices when connected to the organizations networks.
Staff members who are allowed to take home work equipment and devices can expose the organizations to external threats. When these devices are connected to unprotected or even public networks various malware can be installed which in turn can be transmitted to an organizations network when the staff member returns to work. In addition, student information literacy sessions are held in training rooms which are also used for staff training. These computers are connected to the staff network. Students allowed with external devices such as USB drives which contain malware, spyware and other ill-intentioned software can be propagated to the staff network where they can wreak havoc. In addition, external devices should be quarantined before given access to network resources. Network access control servers are important in mitigating the risks attributed to attachment of a foreign device on an organization's network.
Many IT departments with numerous servers are guilty of reusing the same password credentials for access to servers. This one size fits all mentality is a serious concern for security breaches. Once passwords are cracked by rogue entities, ransomware and worms can be installed onto servers by criminal attackers albeit internally or externally.
Software development teams are tasked with creating proper documentation for systems which may contain configuration information and password credentials. Staff members do not recognize the importance of storing such documentation in protected places or even using encryption before storing.  Once documentation is viewed by illegimate users, then this can be stepping stone into more sophisticated social engineering attacks to infiltrate the organizations network. In addition, these teams may use external libraries that are not vetted properly to ensure it contains no ill-intentioned code and libraries. Once installed on a server, this can server can form part of a botnet.
Also, a common error is opening of attachments and emails from unknown sources. Curiosity of employees can kill an organizations reputation since many of these attachments are embedded with macros that can cause harm to a system or network.
Another problem is lack of security information orientation. All new members of staff should be made aware of a company's security policy and sanctions for not adhering to guidelines and practices. In addition, proper management of physical to key areas such as server rooms should be outlined to ensure that public and external users do not gain access.
According to NIST 800-50 "A successful IT security program consists of: 1) developing IT security policy that reflects business needs tempered by known risks; 2) informing users of their IT security responsibilities, as documented in agency security policy and procedures; and 3) establishing processes for monitoring and reviewing the program" (p. 7). Embracing change is one of the hardest endeavors and promoting a culture of awareness is no exception to this norm. Promoting a culture of awareness involves behavioral change. To aid in the smooth transition there are several initiatives that can be executed as outline below.
(NIST, 2003) Examples of initiatives include: classroom styled training sessions, useful website links, periodic reminder emails and even posters. This should be coupled with continuous assessment and evaluation to ensure compliance. (SANS, 2008) Classroom styled training sessions can be viewed as the vehicle for disseminating information that users, including managers, need to do their jobs. It is one of the most widely used information dissemination tool. In addition, employee’s engagement in a classroom styled training session can be enhanced with the administering of certificates of participation on completion. This can aid in adding value and proof to an employee's professional development. This type of training should lay the foundation and core aspects of a security program including best practices, standards, procedures and even sanctions for non-compliance.
These training sessions however, may have to be tailored to suit the different categories of staff and their job functions. It can be a time-consuming endeavor however, it can be conducted in a low peak period in an organization's lifecycle. In addition, with the use of MOOC's an online course can be developed to facilitate training for remote users. Moreover, new employees can be oriented with this information to ensure that awareness of expectations and procedures are portrayed early on. Topics that should be included in a comprehensive training session include: handling unknown email attachments, web usage, spam emails, shoulder surfing, incident response, individual accountability, password management and usage as well as desktop security. These form the base information for all employees while more specific topics include: timely application of system patches and updates and secure coding practices.
Once the employee receives a formal introduction other initiatives such as periodic emails to highlight important points and remind staff members of their roles and responsibilities. This can be done by a departmental head or supervisor on a weekly or biweekly basis. In addition, group discussions at departmental meetings to highlight the importance and to reiterate security policy topics can be useful in ensuring that as a group all staff members are informed and acknowledge security information.  In addition, posters are useful in reminding employees of procedures for example, in how to handle spam emails or verify the email source. This can be in the form of a checklist or do/don't lists. Another initiative, is the use awareness messages materials such as t-shirts, pens, screensavers or even mascots. Moreover, an organization's appreciation for adhering to security policies can be highlighted with employee awards.
An organizations effort in maintaining and implementing a culture of awareness can seem like a time consuming and costly commitment, however, cost benefit analysis and recent global hacks should show that awareness program investment is just as important as any other facet of an organization.






References

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34 (3), 523–548.

Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of information privacy and security, 1 (3), 18–41.

Cyber security awareness month: why cyber security awareness training is vital. (2016, Oct 13). University Wire Retrieved from https://search.proquest.com/docview/1828286677?accountid=13828

Kruger, H. A., & Kearney, W. D. (2006). A prototype for assessing information security
awareness. computers & security, 25 (4), 289–296.

SANS. (2008). The Importance of Security Awareness Training, SANS Infosec Institute.

NIST. (2003). NIST SP 800-50 - Building an Information Technology Security Awareness and Training Program


Labels:

Comments

Post a Comment

Popular posts from this blog

Summary: NIST SP 800-64 Rev 2

Although there may be numerous methodologies available today for developing software whether it is based on a sequential, prototyping or even iterative model, the absence of security at each phase will render applications being vulnerable and easily exploitable when deployed. NIST 800-64 Rev. 2 provides a guide that incorporates security into a sequential model of a SDLC. Currently, at my organization this type of model is preferred since there are small development teams. One of the first recommendations made by is NIST 800-64 Rev. 2 is based on policy and guidelines. It states that there should be a written SDLC policy tailored to suit whether the business develops its own software or outsources software development and even maintenance. At my organization, there is a mesh of both. Large complex enterprise systems are usually outsourced while smaller manageable applications are developed in-house where there may not be an alternative available at a low cost. For example, human re...
1 comment
Read more

Summary: NIST SP 800-61 Rev 2

On another note, with respect to incident response management, the purpose is to provide a plan for a clear path of resolving a security breach. According to the Special Publication NIST 800-61 Rev. 2, the first thing that an organization should do is establish a clear organizational meaning of the word “incident”. It provides a guide to incident handling and recommends establishing response capabilities, incident response policies, an IR plan, procedures, information sharing mechanisms, team structure and even collaboration with external groups. The team’s structure, the services they provide along with the policies and procedures are established. This team consists of: internet service providers, incident reporters, law enforcement agencies, software and support vendors, customers and media as well as other teams. The recommended incident handling procedure consists of: preparation, detection and analysis, containment, eradication and recovery. During the preparation phase, the s...
1 comment
Read more

Software Defined Networks: An Introduction

Description of the technology (Urias, Stout, & Loverro, 2015) Software defined networks (SDNs) is an emerging technology that is changing the defense and networking paradigm. (Hande, Jadhav, Patil, & Zagade, n.d.) Traditionally, network devices like switches and routers, using protocols (on the control plane) such as Open Shortest Path First(OSPF), Border Gateway Protocol(BGP) and Spanning Tree Protocol(STP) determine the best port or interface to forward packets (on the data plane). These routing protocols use static information such as hop count to determine the best path through the network. Moreover, (Ali, Sivaraman, Radford, & Jha, 2015) this decentralized method of network management is the leading cause of network faults and bugs due to errors during configuration. Not to mention, a proliferation of ’internet ossification phenomenon’ which is basically the stagnated network innovation. Additionally, there was no segregation of control and data plane which is har...
Post a Comment
Read more