Unfortunately, when we talk about data security awareness among our employees and business partners, we're really talking about a moving target, because the number and variety of threats to our enterprises keep changing, as the battle rages between enterprises and those who would plunder them. As a result, any security awareness training we provide today will undoubtedly have to be reworked, repeated and added to in the succeeding months.
In a recent posting on the BlogNotions newsletter, author Andy Willingham states that most security awareness programs simply aren't worth the time, effort and cost associated with them. He acknowledges the value in making users aware of the dangers, but bemoans the fact that such programs are "forced down users' throats like a spoonful of Castor Oil."
Indeed, being called away from one's work to attend a security awareness session does seem a lot like the bogus "health" classes we were forced to take in high school -- which were little more than an excuse to fill some teacher's empty period during the day.
Whatever happens in such sessions -- in school or at work -- is quickly forgotten the moment we return to real life. Add to that, the idea that awareness curricula will have to be updated and changed regularly, and the prospects for education in this area seem bleak indeed.
Yet, security awareness is vital to preventing breaches that could lead to significant losses and even more significant lawsuits for failure to perform due diligence. So, how can we get the word out about potential security threats without boring our audience to tears -- and in a way that keeps them interested enough to continue to be on the lookout for security problems?
One solution might be to offer financial incentives. A number of software companies have made a practice of paying out "bounties" to anyone who can discover flaws in their programs, including things that compromise security. By doing this, they have created a relatively inexpensive system for finding and dealing with bugs that does not include paying in-house programmers to do so.
In the same manner, any enterprise could offer small rewards to those employees who report obvious phishing schemes or other suspicious communications that make their way into corporate emails. The reported emails could then have their links disabled and could be sent around to all as a warning. The whistleblower would get a few dollars, and maybe the most impressive catch each month could be awarded a somewhat larger bonus.
Certainly, such a strategy would ramp up awareness among employees and would help promote better security practices. Of course, this might not be enough by itself. We still need to educate them about other types of threats, including social engineering schemes designed to elicit confidential information from unsuspecting employees. Perhaps those additional sessions could be tied to the awarding of the "catch of the month" to one or more sharp-eyed workers, however. To return to the Castor oil analogy, it helps to remember that "a spoonful of sugar helps the medicine go down."
Yes, this entails a bit of extra work for information technology, but it also creates a structure that actively seeks to keep security tight -- and that has huge value.
ARA TREMBLY is founder of Ara Trembly, The Tech Consultant. He writes about insurance and technology, and can be reached at firstname.lastname@example.org.
November 1, 2012
Copyright 2012© LRP Publications