It is very important for IT team members to participate in
security awareness and education and most of all comply with the corporate
guidelines for IT security. It may be mandatory in some organization but even
if it’s not so, it is paramount to understand that security requirement, guidelines,
policies, and procedure will vary between organizations and it is important for
the management to ensure that any employee will understand, accept and follow
the corporate security rules and be updated with prevailing threats in the
course of a periodic training.
Studies have showed that IT employees who are supposed to
enforce security are fond of breaking the rules, and most of the time
circumvent the rules, for instance, if the USB devices are blocked, a website
is forbidden, or rather a specific application is not installed. For a typical
user, that would be it, but an IT user may decide to mess around with the
system settings, changing a registry entry, or using a portable proxy avoidance
tool.
Since standard security controls may not be that effective
with IT employees, the only option is make sure they are aware of the risks of
not following rules; this should include both the threats to the company and
the consequences violators will face.
Most security related incidents related to IT employees are
caused by simple mistakes like using a very simple password against company
policy of enforcing complex passwords, or even writing them down in easily
found places.
Software developers are another group that can create security
flaws. It is common for someone having trouble with a syntax error to download
sample source code and use it without considering the security
implications. Some may even share a
piece of sensitive code on a public online forum in search for help.
The fact is, while IT
employees may be more comfortable with technology, they are not invulnerable to
simple mistakes, and that includes falling victim to social engineering,
opening attachments from unknown sources, downloading software from outside the
official stores, clicking on links in social media sites, etc. Again, even
though IT employees are expected to know that this is a risky behavior,
incidents are bound to happen without proper security awareness training.
IT personnel are mostly a prime target for cyber criminals
because of their access to sensitive information. Some have source code access,
administrative rights, physical access to restricted areas, unrestricted
network access. If any IT user fall victim to a phishing attack, he
automatically compromises the organization’s secrets
Security Awareness: How to Educate IT Employees
The best approach to prevent both unintentional and
deliberate security incidents form IT personnel is to create an awareness
program that reflects the level of harm an employee may cause to a business.
This will require a proper understanding of the audience and
developing awareness pieces accordingly, while a part of the awareness material
will be designed for the employees as a whole, some of it must be created
specifically for key areas such as IT or even other areas of IT such as coders,
database administrators, and network administrators).
Here are some tips that can be quite useful in bringing your awareness
program up to speed
Since we are talking about IT employees, it is reasonable to
assume that they already have a good understanding of technology, otherwise you
would not have hired them. As with any audience, speaking in a language they
fell comfortable is of key importance if you wish to get your message through.
With a general employee group, using technobabble may not be the best idea, but
since we are talking about IT geeks, this approach can be of great value to get
their attention going.
The basics of information security: Now, understanding
technology and even being an expert in some related areas may not require a
profound knowledge of information security, so it is always best to not assume
IT employees are already proficient with information security. There is no harm
in starting from the basis, so some effort should be made to ensure that things
like basic concepts, terminology, procedures, guidelines, and policies are well
understood. This can be accomplished real easily by creating a security
handbook (that can also be used with non-IT employees) and having quick
presentation sessions.
Be specific: IT employees can work in several different
areas that are subject to specific risks. While it is important to have your
entire team aligned on the general terms, there is little to be gained from
spending resources and time educating an employee about a subject that does not
involve his line of work. For instance, server admins may not be required to
know more than the basic concerns of coding vulnerabilities and your
development team does not need to be concerned with the operational system’s
security settings. Again, it is all dependent on knowing and understanding your
audience.
Whenever possible, use real examples: More often than not,
IT personnel will be directly involved in dealing with security incidents.
While it is important to avoid over-exposition of past issues, having practical
examples pertinent to the company’s risk scenario is one of the best approaches
to accomplish awareness. For example, if a company has a history of malware
infection or, even worse, suffered a ransomware attack, it is always good to
discuss it with the tech team and point out whatever security controls were
missing and, if there was malicious intent, what the consequences were and what
has improved to help avoid further occurrences.
Concluding Thoughts
The human factor has been and will remain a major part of
most data breaches or any other type of security incident. IT employees can
either be a source of vulnerability or one of the most resilient combatants in
a company’s information security efforts; it is all a matter of being aware and
adequately trained.
While IT people in general have more experience and are even
easier to educate on security matters, it is important not to underestimate the
level of exposition that may arise if IT employees are not part of security
aware efforts. Simple unintentional mistakes can become major incidents that
may impact operations, financial results, and even the image/reputation of any
business.
0 comments:
Post a Comment