October 13, 2009

SC World Congress: Worker training key to data protection

An effective security awareness campaign doesn't make security experts out of company employees. It just makes them know who to call in case something happens.

That was the message from Dow Williamson, executive director of SCIPP International, which provides security awareness training and certification programs for organizations worldwide. Williamson spoke Tuesday on a panel with Kris Rowley, CISO of the state of Vermont, at the second annual SC World Congress in New York.

Williamson emphasized the importance of end-user training, saying that most breaches occur due to employee error.

"Most people will agree that the vast majority [of incidents] aren't [caused] by the defeating of technology measures," he said.

The goal, Williamson said, is to get organizations to the point where their employees are not trained experts but smart enough to recognize when something is amiss. Then, they should know how to react, which likely means alerting the IT department.

Rowley said organizations must remain committed to their awareness program. Her office leverages elementary schools across the state to create posters emphasizing end-user awareness.

In addition, Vermont workers participate in a training session every other month, when they learn about a new topic – for example, phishing and creating complex passwords.

"You have to tell them all the reasons why [they shouldn't do something]," Rowley said.

She also stressed the importance of enforcing written policy. Employees must realize that violating these rules will result in consequences.

"Otherwise, it's just a Word document sitting out on the internet," she said.

SCIPP International announced in August that its end-user awareness certificate program entered the American National Standards Institute (ANSI) Certificate Accreditation Program, which attests that a company's training program meets a consensus benchmark, Williamson said.

That means, for the first time, organizations that educate their end-users now can also use that fact as evidence to regulators that they are demonstrating compliance, Williamson said.

Similar Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.