Security Awareness in the Enterprise Jacob D. Furst Jean-Philippe Labruyere 22 March 2006

Four Levels of the Enterprise End users Technical and security staff Technical Audit Compliance Management “The Boardroom” What did we miss?

End users

Technical and security staff

Technical

Audit

Compliance

Management

“The Boardroom”

What did we miss?

End Users Regular “security awareness lunches” Security policy agreements Human Resources Legal Email campaigns Mock attacks Create a culture of security awareness What do you do?

Regular “security awareness lunches”

Security policy agreements

Human Resources

Legal

Email campaigns

Mock attacks

Create a culture of security awareness

What do you do?

Security Lunches Security brown bags Regularly scheduled seminars Invited speakers

Security brown bags

Regularly scheduled seminars

Invited speakers

Security Policy Make time for employees to read Expect end-users to read Have them sign it initially and annually (maybe as part of annual benefit enrollment) Make policies readable and consistent with organizational culture Make enforcement explicit Keep this alive – if policy changes, start from the top

Make time for employees to read

Expect end-users to read

Have them sign it initially and annually (maybe as part of annual benefit enrollment)

Make policies readable and consistent with organizational culture

Make enforcement explicit

Keep this alive – if policy changes, start from the top

Email Campaigns An email a day keeps the hacker away Use other common venues Bulletin boards Paychecks Intranet log-on Don’t spam – overexposure can be counter-production

An email a day keeps the hacker away

Use other common venues

Bulletin boards

Paychecks

Intranet log-on

Don’t spam – overexposure can be counter-production

Mock Attacks Ask all employees to send current information over email… Send email from manager with suspicious attachment… Send email from well known (and liked) employee with suspicious link…

Ask all employees to send current information over email…

Send email from manager with suspicious attachment…

Send email from well known (and liked) employee with suspicious link…

Culture of Security Awareness Make security explicit Reward good security habits Lead by example Yourself Your boss Solicit help from end-users themselves

Make security explicit

Reward good security habits

Lead by example

Yourself

Your boss

Solicit help from end-users themselves

Technical and Security Staff Regular presentations Increase awareness with end users Makes staff accessible Make reporting incidents easy Technical training Compliance training Education How else to increase their expertise?

Regular presentations

Increase awareness with end users

Makes staff accessible

Make reporting incidents easy

Technical training

Compliance training

Education

How else to increase their expertise?

Presentations Get your security people to mix With end-users With project planners With management If employees know who the security people are, they are already buying in

Get your security people to mix

With end-users

With project planners

With management

If employees know who the security people are, they are already buying in

Make Reporting Easy Starts with security policy Provide multiple avenues Paper Verbal Email Internet Anonymous Recognize effective use of reporting

Starts with security policy

Provide multiple avenues

Paper

Verbal

Email

Internet

Anonymous

Recognize effective use of reporting

Technical Training Plethora of certifications Encourage membership in professional societies Recommend readings from journals, newspapers, the web Expect it and recognize it

Plethora of certifications

Encourage membership in professional societies

Recommend readings from journals, newspapers, the web

Expect it and recognize it

Compliance Training These people will likely implement it, they need to understand it Can you legal department handle it? Are their opportunities to outsource? Do you trust them?

These people will likely implement it, they need to understand it

Can you legal department handle it?

Are their opportunities to outsource? Do you trust them?

Education Big investment Use as a reward Strategic decision to empower long-term thinking about security

Big investment

Use as a reward

Strategic decision to empower long-term thinking about security

Management Compliance training Legal and technical seminars Incorporate security in business processes Instill a culture of information security ethics What more can you do?

Compliance training

Legal and technical seminars

Incorporate security in business processes

Instill a culture of information security ethics

What more can you do?

Compliance Training Can you do this in house? Who are the recognized and respected names in your business? How does compliance impact business processes with respect to security?

Can you do this in house?

Who are the recognized and respected names in your business?

How does compliance impact business processes with respect to security?

Legal and Technical Seminars May be done in-house Legal department Security personnel Many opportunities for outsourcing Expect it of managers and recognize them for doing it

May be done in-house

Legal department

Security personnel

Many opportunities for outsourcing

Expect it of managers and recognize them for doing it

Incorporate Security Security as an band-aid will fall off in the shower A “non-functional” requirement, but a requirement none-the-less Work with project managers to make security part of the project

Security as an band-aid will fall off in the shower

A “non-functional” requirement, but a requirement none-the-less

Work with project managers to make security part of the project

Instill a Culture of Ethics “Do what I say, not what I do,” just won’t work Most difficult part of being a leader – you must live the result you want Ethics is the only thing that separates the white hats from the black hats Ethics can be taught!

“Do what I say, not what I do,” just won’t work

Most difficult part of being a leader – you must live the result you want

Ethics is the only thing that separates the white hats from the black hats

Ethics can be taught!

The Boardroom What can you do?

What can you do?

The Boardroom Money talks Find a champion Get them involved Make legal implication explicit Organizational culture is defined here

Money talks

Find a champion

Get them involved

Make legal implication explicit

Organizational culture is defined here

Money Talks Risk assessment Security must pay for itself Security is a recurring budget item, not an expense “Amortizing” the cost of security may help

Risk assessment

Security must pay for itself

Security is a recurring budget item, not an expense

“Amortizing” the cost of security may help

Find a Champion Is anyone in upper management a technophile? Security savvy? Forward thinking? Find this person and groom…

Is anyone in upper management a technophile?

Security savvy?

Forward thinking?

Find this person and groom…

Get Them Involved Look for ways to get upper level management involved in security Have them send the “suspicious” email Have them recognize good security efforts Solicit feedback on policies

Look for ways to get upper level management involved in security

Have them send the “suspicious” email

Have them recognize good security efforts

Solicit feedback on policies

Legal Implications International, national, state, and municipal laws Standards of conduct Reasonable expectations of care Consequences of non-compliance

International, national, state, and municipal laws

Standards of conduct

Reasonable expectations of care

Consequences of non-compliance