It’s always the insider. Well, maybe not always, but it sometimes seems that’s what we are hearing. I was reading articles on some recent cases and any of them seem to have a common theme: “XXX Case Exposes Insider Risks” and “Employee Error Leads to XXX Hack” are just a couple recent headlines. The press also published info about a recent breach which was caused when an employee clicked on an attachment that they pulled from the junk email folder.
This is not to say that there are more insider attacks than there are outsider attacks. Some studies actually show that this is not true. But, at the same time the damage that can be caused by a dedicated insider attack has the potential to cost more and potential to be more significant. And, this is not because all insider attacks are of an overtly hostile nature. Users make a configuration error, or change a setting while fixing the system, then don’t reset security options. Users authorize a system before it is finished, or fail to decommission an old system, or fail to disable departed users. Simply put, users make errors everyday. Besides that, users are simply vulnerable to a variety of attacks.
As a result, social engineering attacks work. Phishing attacks work. Emailing attachments works. Heck, even the Nigerian scam still works sometimes or we would not be seeing it anymore – I see some variation of the Nigerian scam almost everyday. How many times a week do you see someone poking at you? Collect money from a bank in Nigeria, Switzerland, or Colombia. You are being audited by the IRS and must return last year’s tax return to the included .yahoo email address (does that really work?) You have a package failing delivery at FEDEX or UPS, and must open the attachment to get the tracking information.
Unfortunately, there is no such thing as a firewall that runs on people and helps stop them from doing something unwise. How do you stop users from being problems? This is one of the many cases where there truly is no silver bullet, but one of the best things you can do to best protect yourself from people is train them. You should have a security awareness and training program that helps make sure your staff knows what they have to know to protect organizational data and resources.
Want to evaluate the quality and effectiveness of your security awareness and training program? Then read on and answer the questions below. Give yourself one point for every question you can unequivocally answer “yes”. Do not feel bad if you start answering “No”, since this quiz holds a high standard.
1. Awareness Program Management
a. Program Definition
i. Do you have a Security Awareness and Training Program?
ii. Is it a formal program?
iii. Is it approved, blessed, and endorsed by organizational management, including responsible security and compliance authorities?
iv. Is it blessed at the executive level of management?
v. Does the training program have defined goals?
vi. Is curricula developed by subject matter experts?
vii. Does someone with an educational background help develop curricula?
viii. Do you consider technology training for network, systems, and security staff (like training your Firewall admin on the exact firewall you use)?
ix. Do you include training on specific regulatory standards to which you are obligated to comply?
b. Targets and Schedule
i. Is training provided for new hires?
ii. Is training periodically repeated as refresher training?
1. At least annually?
iii. Is training reinforced with additional reminders like posters, email, intranet posting, et al?
iv. Is everyone trained, including managers?
1. Including every staff member who has any access, including interns, students, temps, receptionists?
2. Including on site vendors or third-party employees who have access to your data?
v. Is training required for all staff?
vi. Is training required for all staff before they get access to sensitive organizational systems and/or data?
vii. Do you record who attends training?
viii. Do you give tests on the training material?
ix. Do you record test results?
x. Do you record acknowledgement from the employee that they “understand” the material presented?
xi. Do you record acknowledgement from the employee that they agree to comply with the material in the training?
2. Awareness Program Content – Does the training include:
i. Organizational mission statement and/or goals?
ii. Basics of the organization’s Security Policy?
iii. Details of the organization’s Security Policy?
iv. Defined good practice security within the organization?
v. Identification of the Chief Information Security Officer, Data Privacy Officer, and/or other people/groups responsible for security controls?
vi. Location of the actual written Information Security Policy on the organizational intranet?
b. Data Sensitivity
i. Data handling and classification guidelines and processes?
ii. Specific privacy concerns related to data consumed, processed, or transported by the organization?
iii. Sessions to practice the classification of example data?
iv. Processes for disposal of data?
v. Guidance for use of social media, and what can/cannot be released or discussed in a public forum?
vi. When to encrypt data?
vii. How to encrypt data?
viii. Employee responsibility for organizational/client/customer data?
ix. Regulatory requirements for protection of organizational /client/customer data?
x. Using the organizational VPN?
c. Standard Security Policy Support
i. Fundamental information security?
ii. Roles and responsibilities of employees and other staff?
iii. Proper password usage?
iv. Prohibition to never share passwords?
v. Required actions to properly backup data, or support backups?
vi. Organizational rules on software piracy, proper licensing, and misuse of work software?
vii. Organizational rules on respecting copyright rules?
viii. Safe internet navigation and computer use?
ix. Acceptable use of organizational resources?
x. Not opening attachments from unknown senders?
xi. Being cautious about opening any attachment from outside the organization?
xii. Responsible use of public wireless?
xiii. Prohibition or caution on using personal information on work computers?
xiv. Prohibition or caution on using work information on personal devices?
xv. How to recognize virus attacks?
xvi. How to recognize social engineering and/or phishing attacks?
xvii. Incident reporting processes?
xviii. Expectations to honor all training and policies after any separation?
xix. Do you use any case-study examples to reinforce the training?
d. Physical Training
i. Employee and visitor badges?
ii. Piggybacking and tailgating?
iii. Prohibition against leaving systems unattended?
iv. Processes for disposal of media?
v. Processes for management of returned devices (like laptops) that hold organizational data?
The quiz is not perfect. You probably have thoughts that are not included, and even more likely are thinking, “why would we include that?” That said, every one of the questions covers a topic that has a purpose. Answering all of the above questions “yes” probably pretty well defines a ‘best of breed’ security awareness and training program. Check yourself against the list. If you are missing something on the list, it definitely does not mean you are negligent, but if you are missing everything, you definitely are. In each case, you will have to consider if the training element reinforces a control that is appropriate for your organization. Other than that, compute your score:
55 or more If you scored 55 or more “yes” answers, you already know this stuff and have yourself under control. You could probably be teaching other organizations how to design and implement security awareness programs. You have a well-defined and executed program that pretty consistently exceeds standards of due care. Maintain your program and stay vigilant on quality updates.
39-54 If you scored between 39 and 54, you have a pretty well defined program, but you have some gaps, and realistically, you probably know it. Review the questions which you could not answer “absolutely yes” and evaluate whether or not the question identifies a training element that would help your organization. Not all of them will be truly appropriate, but you are better off making that a conscious decision than just missing the control completely. Review your existing program and see where you need to expand/reinforce.
Less than 38 If you scored less than 38, go back to GO and do not collect $200. To put it bluntly, you are probably an accident waiting to happen. Use the questions as a checklist, and consider contracting out at least the start of a formal awareness program. Start somewhere, and make conscious decisions on what to include in your awareness program. Don’t just add or omit items from your training casually. Instead, in every case, keep making positive improvements with every new element you add. Consider your business goals, and defined policies, and train to support both.