Security Awareness in the Enterprise

1
Security Awareness in the Enterprise

• Jacob D. Furst
• Jean-Philippe Labruyere
• 22 March 2006

2
Four Levels of the Enterprise

• End users
• Technical and security staff
• Technical
• Audit
• Compliance
• Management
• The Boardroom
• What did we miss?

3
End Users

• Regular security awareness lunches
• Security policy agreements
• Human Resources
• Legal
• Email campaigns
• Mock attacks
• Create a culture of security awareness
• What do you do?

4
Security Lunches

• Security brown bags
• Regularly scheduled seminars
• Invited speakers

5
Security Policy

• Make time for employees to read
• Expect end-users to read
• Have them sign it initially and annually (maybe
  as part of annual benefit enrollment)
• Make policies readable and consistent with
  organizational culture
• Make enforcement explicit
• Keep this alive if policy changes, start from
  the top

6
Email Campaigns

• An email a day keeps the hacker away
• Use other common venues
• Bulletin boards
• Paychecks
• Intranet log-on
• Dont spam overexposure can be
  counter-production

7
Mock Attacks

• Ask all employees to send current information
  over email
• Send email from manager with suspicious
  attachment
• Send email from well known (and liked) employee
  with suspicious link

8
Culture of Security Awareness

• Make security explicit
• Reward good security habits
• Lead by example
• Yourself
• Your boss
• Solicit help from end-users themselves

9
Technical and Security Staff

• Regular presentations
• Increase awareness with end users
• Makes staff accessible
• Make reporting incidents easy
• Technical training
• Compliance training
• Education
• How else to increase their expertise?

10
Presentations

• Get your security people to mix
• With end-users
• With project planners
• With management
• If employees know who the security people are,
  they are already buying in

11
Make Reporting Easy

• Starts with security policy
• Provide multiple avenues
• Paper
• Verbal
• Email
• Internet
• Anonymous
• Recognize effective use of reporting

12
Technical Training

• Plethora of certifications
• Encourage membership in professional societies
• Recommend readings from journals, newspapers, the
  web
• Expect it and recognize it

13
Compliance Training

• These people will likely implement it, they need
  to understand it
• Can you legal department handle it?
• Are their opportunities to outsource? Do you
  trust them?

14
Education

• Big investment
• Use as a reward
• Strategic decision to empower long-term thinking
  about security

15
Management

• Compliance training
• Legal and technical seminars
• Incorporate security in business processes
• Instill a culture of information security ethics
• What more can you do?

16
Compliance Training

• Can you do this in house?
• Who are the recognized and respected names in
  your business?
• How does compliance impact business processes
  with respect to security?

17
Legal and Technical Seminars

• May be done in-house
• Legal department
• Security personnel
• Many opportunities for outsourcing
• Expect it of managers and recognize them for
  doing it

18
Incorporate Security

• Security as an band-aid will fall off in the
  shower
• A non-functional requirement, but a requirement
  none-the-less
• Work with project managers to make security part
  of the project

19
Instill a Culture of Ethics

• Do what I say, not what I do, just wont work
• Most difficult part of being a leader you must
  live the result you want
• Ethics is the only thing that separates the white
  hats from the black hats
• Ethics can be taught!

20
The Boardroom

• What can you do?

21
The Boardroom

• Money talks
• Find a champion
• Get them involved
• Make legal implication explicit
• Organizational culture is defined here

22
Money Talks

• Risk assessment
• Security must pay for itself
• Security is a recurring budget item, not an
  expense
• Amortizing the cost of security may help

23
Find a Champion

• Is anyone in upper management a technophile?
• Security savvy?
• Forward thinking?
• Find this person and groom

24
Get Them Involved

• Look for ways to get upper level management
  involved in security
• Have them send the suspicious email
• Have them recognize good security efforts
• Solicit feedback on policies

25
Legal Implications

• International, national, state, and municipal
  laws
• Standards of conduct
• Reasonable expectations of care
• Consequences of non-compliance