Scott Wright at the SecurityViews blog has a good post where he gives his take and analysis on the Pfizer laptop breach incident. He said that he make this into a series. I hope he does.
He makes some good points about what went wrong, what could be done differently and what the implications are. My favorite on for a couple of reasons is this:
Get serious about security awareness in the organization. Policies are no fun to read, and just having them doesn’t make them happen automatically. Security awareness training and regular updating is essential. But it doesn’t have to be tedious, and people need to be kept up to date on what to watch for.I like this because right now I'm in the middle of reviewing, updating and creating new policies for my company. They are dull and it's hard to stay away while doing this at times. Unfortunately if you make them fun then legal whines and they rewrite them in a way that no one can understand. I also like it because it re-enforces my belief that security awareness training is a KEY piece in a security program and maintaining a secure environment.
I just turned to todays entry of my handy "The Art of War" calendar and what do you know Sun Tzu has an appropriate comment for this very thing.
If your own army is hesitant and confused, you bring trouble on yourself, as if you were to bring enemies in to overcome you.If we don't have effective security awareness training then our "army" will be hesitant and confused. They don't know what is and isn't safe to do because they don't live this stuff like we do. We have to train them. We have to give them the knowledge and understanding of what is going on so that they are not hesitant and confused. How many "average" computer users know the dangers of file sharing software? Their friends use it and their computers haven't crashed. What about the dangers lurking on sites such as My Space and porn sites. Do most people really think that by surfing for porn that they are possibly giving bad people access to their online banking credentials? No they don't. They aren't aware of the problems.
That is why a good security awareness program at work will not only benefit the company but the employee and their family and friends also. When they know the reality of this they will share it with others. Information Security may be focused on the corporate network but it expands way beyond the borders of our firewalls. Someone posted a comment on my "Why IT doesn't really get security" post where he said that he had all but given up on security awareness because ... well I'll let you read it here, it's a bit long. He has some good points but as I've said before we can't give up on security awareness training. We can't quit our users. Technology can only do so much. People have to do the rest.
Let's be careful out there,