In-Depth

Enterprise Security: The Human Factor

Why organizations need to get serious about security awareness training

• By Stephen Swoyer
• 01/29/2008

Threats from viruses and other electronic attacks may garner big headlines, but employee behavior may be an even greater risk to the enterprise. Even if an organization successfully locks down its exposed network assets, installs intrusion detection software, and institutes other electronic measures, a big vulnerability remains on the inside: how employees understand, respect, and obey security policies.

Experts say physical security is as pressing a problem as it's ever been. Phil Aronson, CEO of Aronson Security Group (ASG), the largest security services firm in the Pacific Northwest, and one of the 25 largest firms in the country, describes it as an issue of "convergence" -- i.e., when the twin problems of securing abstract and physical technological resources converge.

"That's a huge market change we're talking about in the physical security space. What we're now talking about is how security must address IT security and physical security," Aronson explains. He and other security professionals point to another problem: how human beings compromise resources. As a result, organizations should implement security awareness training programs to help educate employees about potential attacks -- including those from the inside.

"It's always assumed that people are already the weak link," says Theodore Woo, CISSP, an independent security consultant based in the Washington, D.C. area. "All security policies and guidelines are ineffective if no one knows about them. So security training is necessary at all levels of your organization because management has to know what they are implementing and end users have to realize the importance of those guidelines and how they apply to [themselves], as well as the possible consequences if they aren't followed."

A veteran software developer who spoke on condition of anonymity recounts a scenario this way: "We had this group of users [that] wanted to generate custom reports, so they were sharing this password [which gave them direct database access] because getting your own login to a database is a very involved process," he explains. "You have to get management's approval, you have to get the data management group involved to set your level of access -- your 'leased privilege' -- to determine what [kind of access] you need to do your job and nothing more."

Instead of jumping through the hoops prescribed by both policy and an ever-protective data management group, this software developer says, users obtained a password from an employee in another business unit and shared it among themselves. "Somebody from another group just came along and said, 'I have a login and I can use it to pull up what I need, so let's try running your query and see if it works for you, too.'"

It's for this reason, says ASG's Aronson, that securing IT resources isn't just -- or isn't exclusively -- the responsibility of IT. Increasingly, organizations are tasking enterprise security departments – anchored by Chief Security Officers (CSOs) -- to coordinate security between and among IT, business users, and physical IT security personnel. It's a move that CISSP Woo applauds. "You must remember that IT is not necessarily security. IT implements whatever the security department comes up with," he points out.

In the case of the business users who collude to share a single, unauthorized password instead of individually applying for direct database access, Woo counsels a pragmatic approach.

"The ideal solution would be if you detected such activity [redundant use of the same password] to clamp down on it, [to] inform the management of the group that had violated that," he indicates. "But you don't want to come down like a ton of bricks on anyone; you just want them to understand what could happen. Ideally, you would want every group to have a separate, auditable trail, and that is what is defeated when people start sharing passwords."

As a result, Woo urges, organizations need to pay more than just lip service to security awareness training. That doesn't mean a one-time seminar, either.

"As with any education, a one-shot deal is unlikely to produce any type of retention," he indicates. For example, Woo says, one company he's familiar with periodically distributed a security newsletter -- complete with refrigerator magnet trinkets -- which featured "easily digested" security bullet points. "One of them compared passwords to bubble gum: they're only good when they're fresh, and you shouldn't share them."

As in all cases, most organizations are reactive: when there's a breach, they get serious about security awareness training. Ideally, Woo says, they'd be more proactive in this regard. "Part of the problem is until there is a breach, it's difficult to justify pulling people off billable hours to send them to these classes," he concludes. "But, in my opinion, you'd want at a minimum annual [training]. We learn by repetition and we need to have this [training] periodically refreshed."