Security Awareness for IT Employees

It is very important for IT team members to participate in security awareness and education and most of all comply with the corporate guidelines for IT security. It may be mandatory in some organization but even if it’s not so, it is paramount to understand that security requirement, guidelines, policies, and procedure will vary between organizations and it is important for the management to ensure that any employee will understand, accept and follow the corporate security rules and be updated with prevailing threats in the course of a periodic training.

Studies have showed that IT employees who are supposed to enforce security are fond of breaking the rules, and most of the time circumvent the rules, for instance, if the USB devices are blocked, a website is forbidden, or rather a specific application is not installed. For a typical user, that would be it, but an IT user may decide to mess around with the system settings, changing a registry entry, or using a portable proxy avoidance tool.

Since standard security controls may not be that effective with IT employees, the only option is make sure they are aware of the risks of not following rules; this should include both the threats to the company and the consequences violators will face.

Most security related incidents related to IT employees are caused by simple mistakes like using a very simple password against company policy of enforcing complex passwords, or even writing them down in easily found places.

Software developers are another group that can create security flaws. It is common for someone having trouble with a syntax error to download sample source code and use it without considering the security implications.  Some may even share a piece of sensitive code on a public online forum in search for help.

 The fact is, while IT employees may be more comfortable with technology, they are not invulnerable to simple mistakes, and that includes falling victim to social engineering, opening attachments from unknown sources, downloading software from outside the official stores, clicking on links in social media sites, etc. Again, even though IT employees are expected to know that this is a risky behavior, incidents are bound to happen without proper security awareness training.

IT personnel are mostly a prime target for cyber criminals because of their access to sensitive information. Some have source code access, administrative rights, physical access to restricted areas, unrestricted network access. If any IT user fall victim to a phishing attack, he automatically compromises the organization’s secrets

Security Awareness: How to Educate IT Employees

The best approach to prevent both unintentional and deliberate security incidents form IT personnel is to create an awareness program that reflects the level of harm an employee may cause to a business.

This will require a proper understanding of the audience and developing awareness pieces accordingly, while a part of the awareness material will be designed for the employees as a whole, some of it must be created specifically for key areas such as IT or even other areas of IT such as coders, database administrators, and network administrators).

Here are some tips that can be quite useful in bringing your awareness program up to speed

Since we are talking about IT employees, it is reasonable to assume that they already have a good understanding of technology, otherwise you would not have hired them. As with any audience, speaking in a language they fell comfortable is of key importance if you wish to get your message through. With a general employee group, using technobabble may not be the best idea, but since we are talking about IT geeks, this approach can be of great value to get their attention going.

The basics of information security: Now, understanding technology and even being an expert in some related areas may not require a profound knowledge of information security, so it is always best to not assume IT employees are already proficient with information security. There is no harm in starting from the basis, so some effort should be made to ensure that things like basic concepts, terminology, procedures, guidelines, and policies are well understood. This can be accomplished real easily by creating a security handbook (that can also be used with non-IT employees) and having quick presentation sessions.

Be specific: IT employees can work in several different areas that are subject to specific risks. While it is important to have your entire team aligned on the general terms, there is little to be gained from spending resources and time educating an employee about a subject that does not involve his line of work. For instance, server admins may not be required to know more than the basic concerns of coding vulnerabilities and your development team does not need to be concerned with the operational system’s security settings. Again, it is all dependent on knowing and understanding your audience.

Whenever possible, use real examples: More often than not, IT personnel will be directly involved in dealing with security incidents. While it is important to avoid over-exposition of past issues, having practical examples pertinent to the company’s risk scenario is one of the best approaches to accomplish awareness. For example, if a company has a history of malware infection or, even worse, suffered a ransomware attack, it is always good to discuss it with the tech team and point out whatever security controls were missing and, if there was malicious intent, what the consequences were and what has improved to help avoid further occurrences.

Concluding Thoughts

The human factor has been and will remain a major part of most data breaches or any other type of security incident. IT employees can either be a source of vulnerability or one of the most resilient combatants in a company’s information security efforts; it is all a matter of being aware and adequately trained.

While IT people in general have more experience and are even easier to educate on security matters, it is important not to underestimate the level of exposition that may arise if IT employees are not part of security aware efforts. Simple unintentional mistakes can become major incidents that may impact operations, financial results, and even the image/reputation of any business.