Educating the masses for IT security

It was a career-defining moment for Dolicker, 53, who joined the 24,000-employee company roughly nine months ago and "worked like a dog" to build the program in just 45 days to meet the unofficial Nov. 30 holiday.

In addition to new acceptable-use policies based on ISO 17799 (International Organization for Standardization) best practices standard, the program includes a revamped security home page on the company's intranet and a video message from Lenovo's CIO that preaches the importance of information security in every employee's daily routine.

Then, this past April, the Raleigh, N.C.-based enterprise rolled out what Dolicker calls IT security's version of an elevator pitch — a mandatory 30-minute online training session covering the most pertinent topics affecting employees — such as password usage, social engineering tactics and handling of sensitive information.

Looking back, Dolicker doesn't know how he and his team accomplished so much in such a short time. But any fatigue that resulted was well worth it, he figures, especially if the initiative's main goal is achieved: Get all employees thinking security, every day, not just on International Computer Security Day.

"Anybody who touches information needs to have it stuck in their head," Dolicker says. "If something's amiss, they may not react as quickly as an incident response team. Hopefully we've stuck it in their heads enough that it will raise their initial suspicion. If nobody tells them, they take their best guess, and people are really bad guessers when it comes to security."

Lenovo, which purchased IBM's Personal Computing Division in May 2005, and now manufactures the popular ThinkPad notebook computers, is one of a growing number of diverse organizations realizing the limitless value of an informed employee.

"People are interested in awareness programs because most incidents have their root cause in intentional or non-intentional lack of compliance on the part of employees," says Kavitha Venkita, practice manager of the Washington, D.C.-based Information Risk Executive Council, a research consortium that is currently studying what motivates workers to follow (or disobey) security policies.

Meanwhile, Lenovo, with locations in 66 countries, is not stopping at the educational aspect. Beginning this fiscal year, the company made the understanding of security policies a job requirement, an enforcement strategy that will place security awareness on annual employee performance evaluations.

"It's part of your job now," Dolicker says matter of factly. "Good security practices are just one of the things you've got to do working here."

Valuing employee awareness

Lenovo is not the only organization putting funds toward building a more aware staff. According to a recent study from INPUT, a market research and advisory company covering the federal government, national agencies will pour $690 million into IT security education and awareness programs over the next five years, an annual average of $138 million. By comparison, the federal government spent $96 million on those programs in 2005.

Under the Federal Information Security Management Act (FISMA), government departments are mandated to have an annual security awareness and training program implemented. But judging from recent meltdowns — including the lost Department of Veterans Affairs' laptop and, more recently, the posting of 38,700 Social Security numbers on a public Department of Agriculture database — much work remains.

"The federal government has the largest amount of data on our citizens than any institution in the world," says Prabhat Agarwal, manager of the federal information security analysis program at Reston, Va.-based INPUT. "Users have always been and always will be the weakest link. No matter how much technology you put in place, it's always going to be an issue of users not understanding proper policies and what to do with that data."

Even though 74 percent of threats come from inside the firewall, according to an IBM study, companies still spend a majority of their budget to curtail external attacks. Yet, according to a recent Computer Economics poll, insider misuse is the highest ranking IT security threat.

And the real-life incidents continue unabated. A fall 2006 Ponemon Institute study of more than 450 U.S.-based IT security professionals revealed that more than 78 percent of respondents cited at least one unreported insider security breach at their company. Meanwhile, 89 percent of those polled consider insider threats serious, compared to only 49 percent of CEOs who feel the same way.

But, experts argue, those CEOs ought to be concerned. Despite the record funds being allocated to user education and awareness, the total expenditure still pales in comparison to technology costs. Organizations, no matter their size, jump at the chance to limit spending whenever and wherever possible.

And so, experts say, security chiefs, as part of an increasing battle in the board room for their share of the pot, should tailor their pitch to show how educated end-users are worth as much as any defense solution, likely much more.

"User awareness is the best bang for the buck in an information security program," Dolicker says. "You can put all the processes and technologies in place that you want, but if people are performing badly in the handling of information, it's a huge hit."

Providing information is your job

Security experts typically break the insider threat down into three categories: accidents, opportunists (such as third-party contractors who have access to workstations), and revenge-seekers. Typically, though, the primary concern is the first on that list: those employees who pose a security risk and probably do not even realize it.

"The outright malevolent behavior or fraud is not the issue," Dolicker says. "The thing that is of most concern is someone whose focus drifts. If their suspicion is not where it should be, and their attention has drifted somewhere else and you can distract them, that's when a compromise can happen."

Some organizations, particularly those dealing with large amounts of sensitive data, are most at risk. For an entity such as the city of Jacksonville, Fla., which shares government services with Duval County, many employees are in the business of handling data. And, to complicate matters, the local government — like many across the country — is hamstrung by the Public Records Law, part of the Freedom of Information Act (FOIA), which gives the public the right to access documents from federal government agencies.

"Any person can ask for information from anyone who works in the city, and you're obligated to deliver it in a timely and accurate fashion," says Kevin Haynes, the city's first-ever director of security. "But when I first came in and performed a complete assessment, I noticed a glaring risk: Not a single employee had ever been educated or given rules on ethical behavior, or even been educated on how to use the computer system responsibly."

This was a big red flag for Haynes, on the job for about 1 1/2 years. Like Dolicker, he acted quickly to implement an employee education program. In April, he distributed new internal security policies and unmasked a one-hour-a-year training requirement for all workers.

And realizing that his seven-person team was inadequate to educate the 12,000 employees, he called on the city's records management vendor to train workers on what exactly the public record requirements necessitate.

"Improper information disclosure is absolutely my number one security risk," Haynes says.

The psychology of an employee

The Information Risk Executive Council, which represents more than 400 member organizations, is studying the behavioral psychology behind employees' decisions to either abide by or dismiss information security policies. The organization, which expects to poll some 10,000 people, plans to release its findings this month.

Venkita, who is helping to lead the study, hopes to glean some ideas as to what prompts employees to care about security. She and her team are exploring a number of hypotheses: Do employees find awareness training inconvenient because they think security is someone else's job? Are they more likely to listen to a direct supervisor or a peer than someone higher up the corporate ladder? Does learning and practicing security disrupt their normal job requirements? Will education sink in better if it is connected to their personal life?

Venkita says answering some of those questions will help chief security pros properly disperse funds into awareness and education programs. She also hopes the study will help generate a return-on-investment metric from those companies that have installed successful policies.

The timing of the research is ideal, she says, because almost all member companies are either already implementing an awareness program or considering one for the first time this year.

The right stuff

Depending on who one asks, the right way to instruct employees on security varies. But only recently have organizations truly begun examining the best ways to make the message stick. Many have embarked on innovative initiatives.

Venkita, for example, says some of her clients have tapped into the workforce's changing demographic by teaching security through video games or downloadable podcasts. Other organizations have assigned peers, known as security wardens, to provide tips to other workers or to flag risky behavior. The thinking behind the initiative is that employees are more likely to act on something if it comes from a colleague on equal footing than from a superior.

Still other companies are changing the context by discussing security in terms of how it affects an employee personally, rather than what it means for the company, Venkita says. Additional programs are empowering workers themselves to come up with creative ways to spread the word.

At New York-based Big Four accounting firm Ernst & Young, the security department confiscates laptops if they are unlocked when not in use, say employees (who wish to remain anonymous). To reclaim the confiscated PCs, workers must explain why they forgot to lock their machines and then they get a quick refresher course in security. These employees say they dread that walk to IT, so many have gotten better at remembering to lock them.

Then there are those playing the shame game. Hugh Njemanze, chief technology officer and executive vice president of research and development at Cupertino, Calif.-based ArcSight, says he knows of some firms that are posting some of the risky websites employees have visited on the company intranet to discourage workers from revisiting those URLs.

There are a lot of potentially dangerous sites out there. Administrators are no longer only worried about the typical culprits, but are also concerned about vulnerable Web 2.0 sites and blogs where one could — theoretically — discuss company secrets, experts say.

Repetition is key

INPUT's Agarwal, meanwhile, believes that success rests in repetition, particularly repeated security awareness testing. "Maybe even random testing, whether they know how to recognize a security incident or not," he says.

Dolicker says he thinks simplicity is a helpful motivator. First, any technology Lenovo deploys must not force employees to "think" too much, he says. For example, Lenovo deploys SafeGuard Enterprise from Foxboro, Mass.-based Utimaco Safeware to protect its data across the lifecycle. Second, Dolicker created a condensed version of Lenovo's security policy with a FAQ-type document that lists 36 of the most common guidelines employees must follow.

"You'll find that not even the best employees will spend a huge amount of time trying to find the answer to an information security question," he says.

The ideas are plentiful, it seems. But of all the revolutionary possibilities, perhaps hitting employees where they feel it the most — in their paycheck — is the one with the most legs. Tying awareness to job reviews may seem like a draconian concept, but in today's sophisticated threat landscape, it should only become more common, experts say.

After all, if a worker's chance for a raise at least partially rests on their ability to spot a phishing attack, well, they may not be so quick to follow that link.

SECURITY AWARENESS:
A universal standard