Weakest link: End-user education
Dan Beard, chief administrative officer of the House of Representatives
Organizations must educate end-users, says Dan Beard, chief administrative officer of the House of Representatives, reports Dan Kaplan.
Many on Capitol Hill believe, and for good reason, that bipartisanship is nothing but a Beltway myth, more often used as a tiresome campaign slogan than a legitimate goal. But, on albeit rare occasions, both sides of the aisle do come together in unison – and not just because one side needs the votes.
Cybersecurity legislation traditionally has been one of those exceptions. So it was no surprise that when the U.S. House of Representatives decided to turn its attention inward to its own digital security posture, Democratic and Republican leaders alike agreed that there was ample room for improvement.
In December, the joint House leadership approved a five-part plan to boost the lower chamber's security policies and to further safeguard its IT systems. Most pivotal among the new recommendations was to this year begin mandatory security awareness training of all House members and their staffs.
“We have had solid bipartisan support from [Speaker Nancy] Pelosi and [Minority Leader John] Boehner,” says Dan Beard, 66, chief administrative officer of the House. “Anytime we've gone to them with a set of recommendations to increase our cybersecurity, they have enthusiastically endorsed it.”
And while Beard, whose office oversees the House's operations infrastructure, is no IT security expert, he is well versed in the changing face of cybercrime. What was once a threat landscape dominated by so-called script kiddies who were set on vandalizing the web to gain notoriety has given way to a stealthier group of perpetrators – ones who prefer to break into computer systems to steal sensitive information while remaining in the shadows.
“Now we have people who want to get in and don't want you to know that they're there,” Beard says. “The question is, how do you deal with it? You need better hardware and software. But in the end, it comes down to having a trained and committed workforce that uses the systems.”
The House has dealt with frightening examples over the last few years. In June 2008, two lawmakers announced that their office computers were infiltrated by hackers operating out of China, though a spokesman for the nation's Foreign Ministry denied that country's involvement.
“We're a highly visible target,” Beard says. “We always have been. That's the challenge for government agencies. You have to be constantly vigilant.”
Then, late last year came the tipping point. In an exclusive story, the Washington Post reported that a junior staffer for the House Standards Committee was fired after leaking a confidential report on a peer-to-peer network on the staffer's home computer. The report detailed investigations into more than 30 Congress members and a number of aides.
“I think that was the straw that broke the camel's back, so to speak,” Beard says. Soon after, House leadership requested Beard's office look into revamping the House's security policies, notably the training of end-users.
The human element
The need to educate employees on proper digital safeguards always has persisted within organizations, but in today's climate of slick social engineering malware scams and the proliferation of Web 2.0 data leakage risks, it seems that the need for security aware end-users has never been so great.
“The human element is the largest security risk in any organization,” says Stephen Scharf (left), CISO at Experian and the former CSO at Bloomberg. “Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences.”
Most compliance requirements, including the Payment Card Industry Data Security Standard and the Health Insurance Portability and Accountability Act, mandate awareness training.
And the nation's financial state is making end-user education more important than ever. As if the economy already hasn't done enough damage to American businesses, it also is rearing its ugly head in the form of data leakage concerns.
According to an Information Risk Executive Council (IREC) report, which gauged the opinions of 150 of its CISO members, “employee carelessness” was listed as the top threat facing enterprises in 2010. To put that in perspective, malware ranked number three, and according to a January report from Panda Security, 2009 brought more malware samples than ever before. Forty million to be exact.
The IREC report determined that the recession will affect employee morale, leading to certain workers caring less about security risks. Layoffs, meanwhile, will contribute to increased workloads, prompting employees to evade security policies and “cut corners.” By the same token, new responsibilities will come with a lack of understanding of the risks. And potentially worst of all, the report forecasted that disgruntled workers will take their ire out on the company by orchestrating malicious computer attacks.
Technology cannot control all – or even most – of the problem. Instead, security executives have to rely on education, the report concluded.
“The most powerful preventive tools will be communication and the reinforcement of secure behaviors,” the report says.
Layoffs aren't much of a concern at the U.S. House. But laptops and mobile devices are, which are common among the 10,000 end-users, consisting of Congressional members and their staffs and extending to some 900 district offices, Beard says.
Training courses, to be held annually either online or in a classroom, will delve into the computer security basics. Among the specifics they will address are the risks that a lost smartphone poses. Attendees will be advised on the need to use protections, such as complex passwords.
“We want to make sure our employees understand our system is only as strong as its weakest link,” Beard says.
So what works to get the point across to employees? Organizations must rely on a mix of positive and negative reinforcements because training tends to wear off after a few months, says Kavitha Venkita, managing director for IREC, which has about 300 members.
A positive reinforcement comes by recognizing someone for their good behavior, while a negative reinforcement is defined by telling someone that they've done something wrong, she says. An example of the former is praise from a user's manager, while an instance of the latter might be threatening to revoke a user's IT privileges.
The most common reason for insecure behavior is the perception that compliance is too burdensome, Venkita says. This can be combated by making it easier.
“I find that a vast majority of employees treat security seriously and want to do the right thing,” Experian's Scharf says. “Employees are also pressured to get their job done and are creative at finding ways to meet deadlines. Employees who understand the value of security protections are less likely to try and subvert [policies] in the name of getting the job done.”
This potential subversion, Venkita says, also can be addressed by raising users' perception of risk, meaning letting them know the level of risk that their actions carry. Additionally, it also involves raising their emotional commitment, meaning making them believe that behaving securely is the right thing to do for the organization.
Meanwhile, to create fruitful awareness programs, organizations must gauge their efficacy. A companion study to last year's ITEC report determined that just six percent of CISOs directly measure the effectiveness of their training efforts. Instead, they commonly focus on less indicative stats, such as how many users underwent training or how much training cost, Venkita says.
“These input metrics don't necessarily correlate to secure behavior,” she says. “Just because a lot of people went through security training doesn't mean they will necessarily behave better.”
And when it comes to the actual training, Scharf says the challenge is delivering the message of security in “an exciting and entertaining way.” In his experience, Scharf has found that innovative options, such as games, short video clips and quizzes, tend to be effective. The key is conciseness and brevity, and the IT staff must be careful not to go overboard with any attempts at humor, as it may water down the message, he adds.
But, the impression that training leaves only resonates for so long. “A good security awareness program is not that one day for 30 minutes,” says Dow Williamson (left), executive director of SCIPP International, a Vienna, Va.-based nonprofit that provides security awareness training programs. “It's a 365-day-a-year program.”
As a result, he recommends reinforcing the message through mediums such as newsletters, calendars and posters. In addition, he knows some organizations that prefer to use white-hat exercises, in which employees are sent fake phishing emails to see how they respond.
Another key is connecting security training to employees' personal lives. “People tend to go the extra mile and implement best security business practices if they think it's going to help them and protect their private and sensitive information,” he says.
But finding acceptance among employees isn't always easy, a recently released Microsoft research paper suggests.
Written by Cormac Herley, the paper argues that employees who push back on security advice are making a decision that “is entirely rational from an economic perspective.” In his research, Herley studied three areas: password rules, phishing site identification and SSL certificate warnings. He found that users tend to ignore these rules because the indirect costs are too great and victimization is uncommon. In the case of SSL certificates, for example, most, if not all of the error messages seen by users are false positives.
The easiest solution is writing the rules into policy, he says. If users violate those rules, they are punished. (Remember Venkita's advice regarding negative incentives?) But what about employees who will take the chance and ignore policy? Or what about organizations whose policies are lacking?
“The big disconnect that I see between security IT people and end-users/consumers is security IT people, by and large, are worst-case thinkers, and with good reason,” Herley says. “But when it comes to users, worst-case reasoning is not a good way of selling.”
Instead, service providers and organizations must compile data on attack profiles, which can be used to make the case to end-users, he says. But such measurements largely are lacking.
“We have almost no data to suggest that anything of the kind does happen or is happening,” Herley says. “We don't have actual data, so from a user's point of view, if I ignore your warnings, nothing bad happens.”
In the U.S. House, the security staff leverages “visualization” to hammer home the point of robust end-user security, says Brent Conran, the assistant CIO who is in charge of information security.
“We can show them pictures of hacks happening to our network in real time,” Conran says. “You'd be surprised how quickly people are becoming security conscious.”
Herley says not only do organizations need to use data, they also must recognize the burden they may be placing on employees. They should view security education as a cost/benefit calculation.
“When you ignore cost in the equation, if you impose truly onerous stuff on employees, unless it addresses a real risk, you put yourself in a position where they'll work around it,” he says.
Back on Capitol Hill, Beard insists that the climate of working in a legislative branch serves as the major motivator, and users tend to want to do the right thing.
“We're all in the politics game,” he says. “It's a political world and it's a very open world. People who work here, understand the downside of someone getting in and screwing with your system and information being divulged.”
And when it comes down to it, at least for members of the U.S. House whose terms last a paltry two years, perhaps the best incentive is the fear of rejection by their constituents.
“They probably, more than everyone else, understand the downside of having an insecure system,” Beard says. “That could potentially affect their re-election. And if there's anything every member of Congress agrees on, they should be re-elected.”
improving: Security awareness
Here are some not-so-common tips for improving security awareness at your company:
Make the training campaigns role-specific or specialized, e.g. targeting sales/marketing teams or focusing on social media dos and don'ts.
Find moments to preach security when users have nothing else to do, such as when they are on the elevator or making copies.
Give out prizes to workers as a reward for secure behavior.
Ask employees to meet as a group to discuss security, then encourage them to draft rules they must follow. The “peer pressure” angle works well.
Designate a go-to security person at different levels. Workers prefer to listen to “one of their own.”
Install a suggestion box where employees can offer feedback on awareness efforts.
Source: Information Risk Executive Council