Although some might not aware, occurrences of security incidents in an organization were derived from within the organization. This is what we called insider threat. This threat could be in the form caused by fraud, human error, disgruntled employees, or simply caused by an employee playing around with hacking tools.
Hackers outside an organization – the external threat – prefer to perform social engineering targeted to employee rather than to waste efforts to technically hack into the highly secured modern technology. Social engineering is a technique to psychologically manipulate or trick user to do something that might be dangerous to your data or system. These techniques succeed well with uneducated users.
But does our employee have the ability to hack? Nowadays, hacking literature can easily be found easily just by using search engine in the internet, and also available in major bookstores all over Indonesia. These books explain steps to perform hacks and accompanied by CD that contains scripts and tools to enable reader exercise hacking steps. The books are in Bahasa Indonesia with detailed steps, making it easy to understand.
A receptionist bought a hacking book and executed the Cain & Abel software, even during her lunch break. She ran this to capture network packages to get user IDs and password from the targeted computers. This really happened a few months ago in some company in Jakarta, and it might happen to your organization too, if you don’t put security measures in managing this risk.
The above also show that intruders known as hackers may be a novice (called also script-kiddies). In the other side, it also shows that IT personnel within that organization were not prepared to handle such attacks. This is why security awareness in an organization is critical.
Information security and the protection of information assets and intellectual property begin with awareness and education. To develop and preserve a culture of security in any organization, it must be recognized that responsibility and accountability resides with all employees.
Whether it’s checking e-mail, browsing, answering a telephone, installing new application software, or only logging on and off the computer, employees must be encouraged to consider the security aspect into each action and decision made. To make it effective, concept of security must be embedded into culture and habit of the people within the organization. All employees need the training on security awareness, especially those that does not have a clue on what is security which more likely be vulnerable to social engineering, like the receptionist story above.
Employees must be educated so they are able to spot warning signs of social engineering when an intruder poses as a legitimate party like a customer, network administrator, or vendor representative, and attempts to pass of sensitive information from an employee. Just as an antivirus product scans files for virus, employees must have knowledge to detect the sign of the social engineering.
It is essential that the users obtain, at minimum, the general knowledge on information security, to enable them avoid risky activities. By educating users with the threats and how to avoid them, it will minimize your organization’s operational risks and financial losses. Information Security Awareness is not only about defense, it is about creating habits and mindset of security in every activity. More education and simple tips on how users should choose and manage passwords may avoid the problem of weak passwords, human errors, and exposure to intruders.
Employees are more likely to forget or ignore advices that have no relevance to their job, and “one lesson for all” just doesn’t work. Therefore it is important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders is far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues.
The awareness program must be dynamic and designed to evolve in order to meet the future needs of the company and employees, current activities will need to be modified or new activities will need to be developed to maintain program relevancy. Furthermore, the awareness program must also address the issues that arise due to rapidly advancing information technology.
Now, ready to develop your very own security awareness program? There are 5 factors needed for an effective and successful security awareness program.
| Management support and sponsorship | Unless executives of an organization believe in security awareness, it is quite impossible to expect awareness from the employees. When the CEO says security is important and practice what he/she preach, employees take notice. The same goes for all executives and managers down the line. Upper management must support the security awareness program because the motivation factor to comply and participate will be much greater. |
| Assign the right person(s) | A team or at least an individual must be assigned to be accountable in developing and implementing the Security Awareness Program. Dedicate at least one person to focus on security awareness across the organization. Be sure to appoint an individual who has good communications skills and knows how to persuade, and develop relationships. |
| Use multiple means of communication | People receive and retain information effectively via different methods. Some like numbers and statistics, some like pictures or videos, and some like to attend a course or trainings. There are many ways in communicating the awareness including posters, videos, screensavers, newsletter, or by performing trainings. There is a need to analyze and decide which forms suit the culture of the organization. |
| Topics | Specific topics that should be introduced and promoted within your organization are those designed to answers the questions of what are the threats, what are we protecting, and how to protect. The topics should include physical security awareness, technical security awareness, policies and procedures, incident response, security threats, and other topics should you find important to rise. |
| Get Professional Assistance | Feeling confused? No need to reinvent the wheel. There are firms that specialize in security awareness training and providing resources. Some organizations even publish and distributes customized newsletter to your employees. If you have the budget, but not the people or time, hiring a firm to do this is money well spent to raise your employees’ security awareness. |
Implementing a successful Security Awareness Program may seem like an uneasy task. However, with the proper executive support, appropriate planning and an organized approach, the message of “I can make a difference to my company’s security” will ring loud and clear to your employees. By including the human factor in your security infrastructure via an effective Security Awareness Program, you will be implementing the ultimate defense of depth.
We must, however, understand that information security is a business requirement on top of being an ethical and legal requirement. We therefore need to be constantly aware about certain Information Security issues and ensure that proper resources are engaged and best practices adopted.
this article has been published in RSM AAJ Newsletter, you can check the link here: http://rsm.aajassociates.com/publications.php?menu=7&id=1&id0=1
Syahraki Syahrir (Raki) 