Security Awareness in the Enterprise

Jacob D. Furst

Jean-Philippe Labruyere

22 March 2006

Four Levels of the Enterprise

• End users

• Technical and security staff– Technical– Audit– Compliance

• Management

• “The Boardroom”

• What did we miss?

End Users

• Regular “security awareness lunches”

• Security policy agreements– Human Resources– Legal

• Email campaigns

• Mock attacks

• Create a culture of security awareness

• What do you do?

Security Lunches

• Security brown bags

• Regularly scheduled seminars

• Invited speakers

Security Policy

• Make time for employees to read• Expect end-users to read• Have them sign it initially and annually (maybe

as part of annual benefit enrollment)• Make policies readable and consistent with

organizational culture• Make enforcement explicit• Keep this alive – if policy changes, start from the

top

Email Campaigns

• An email a day keeps the hacker away

• Use other common venues– Bulletin boards– Paychecks– Intranet log-on

• Don’t spam – overexposure can be counter-production

Mock Attacks

• Ask all employees to send current information over email…

• Send email from manager with suspicious attachment…

• Send email from well known (and liked) employee with suspicious link…

Culture of Security Awareness

• Make security explicit

• Reward good security habits

• Lead by example– Yourself– Your boss– Solicit help from end-users themselves

Technical and Security Staff

• Regular presentations– Increase awareness with end users– Makes staff accessible

• Make reporting incidents easy

• Technical training

• Compliance training

• Education

• How else to increase their expertise?

Presentations

• Get your security people to mix– With end-users– With project planners– With management

• If employees know who the security people are, they are already buying in

Make Reporting Easy

• Starts with security policy

• Provide multiple avenues– Paper– Verbal– Email– Internet– Anonymous

• Recognize effective use of reporting

Technical Training

• Plethora of certifications

• Encourage membership in professional societies

• Recommend readings from journals, newspapers, the web

• Expect it and recognize it

Compliance Training

• These people will likely implement it, they need to understand it

• Can you legal department handle it?

• Are their opportunities to outsource? Do you trust them?

Education

• Big investment

• Use as a reward

• Strategic decision to empower long-term thinking about security

Management

• Compliance training

• Legal and technical seminars

• Incorporate security in business processes

• Instill a culture of information security ethics

• What more can you do?

Compliance Training

• Can you do this in house?

• Who are the recognized and respected names in your business?

• How does compliance impact business processes with respect to security?

Legal and Technical Seminars

• May be done in-house– Legal department– Security personnel

• Many opportunities for outsourcing

• Expect it of managers and recognize them for doing it

Incorporate Security

• Security as an band-aid will fall off in the shower

• A “non-functional” requirement, but a requirement none-the-less

• Work with project managers to make security part of the project

Instill a Culture of Ethics

• “Do what I say, not what I do,” just won’t work

• Most difficult part of being a leader – you must live the result you want

• Ethics is the only thing that separates the white hats from the black hats

• Ethics can be taught!

The Boardroom

What can you do?

The Boardroom

• Money talks

• Find a champion

• Get them involved

• Make legal implication explicit

• Organizational culture is defined here

Money Talks

• Risk assessment

• Security must pay for itself

• Security is a recurring budget item, not an expense

• “Amortizing” the cost of security may help

Find a Champion

• Is anyone in upper management a technophile?

• Security savvy?

• Forward thinking?

• Find this person and groom…

Get Them Involved

• Look for ways to get upper level management involved in security

• Have them send the “suspicious” email

• Have them recognize good security efforts

• Solicit feedback on policies

Legal Implications

• International, national, state, and municipal laws

• Standards of conduct

• Reasonable expectations of care

• Consequences of non-compliance