Improving Security Awareness

There is a lot of talk about what is most important in security. (Here, here, and others that I can't find at the moment) Protecting from hackers trying to get in from the outside or keeping the insiders from taking stuff outside. Both of these are valid concerns that we need to keep a handle on. Protecting the perimeter and even endpoints is pretty straight forward. Keeping people from walking out the door with data is a different story. It requires different methods of protection and detection. There is a third area of concern that I see. It is usually lumped in with keeping the bad guy out, but the way he gets in is different. He comes in through the front door on a laptop that was compromised outside of the office.

For companies with large IT staffs and budgets this may not be a big deal, but for most small companies this is a major concern. With the prevalence of vulnerabilities, the ease of getting something undesirable on your system, the lack of user awareness and increase in user apathy this is a major problem. Already small companies IT departments are understaffed and have too much work to do. They have the staff or budget for stellar security products and are at the mercy of their users. They have to rely on their users being careful and cautious. The problem is that most users don't think about (or even know about) the dangers that lurk out there. They don't realize (and often don't care) that the porn sites they go to are full of malicious code. They don't realize that the airport and hotel wi-fi are often compromised. They don't think about the fact that email is sent in clear text and can be read by anyone who captures it nor do they head our warnings not to click on email links or open attachments.

It's not the disgruntled user, the sneaky hacker, or the money hungry insider that concerns me the most. It's the unaware, apathetic user who thinks that they can do as they please with their company owned and issued PC. A rootkit or piece of spyware that is on a machine is more dangerous than someone randomly scanning ports looking for a way to sneak into the network. It is even worse than most determined attempts to break in from the outside. Once they are on the machine they don't have to look for a way in. They are already in.

User awareness training has to be a major focus. It has to be improved so that it becomes more effective. It has to get the attention of the user and it has to have relevance to them. If they don't realize the potential impact to the company and how that can potentially effect them then they won't take the necessary precautions. They don't have to clean up the mess. They don't have to try and repair the damage. They don't have to worry about the potential impact to the stock price or have to answer to the board. Therefore, they don't really care. Making them care is the key to effective security awareness training.