Security Awareness in the Enterprise

4,851 views

Published on

Security Awareness in the Enterprise

Published in: Technology, Education
2 Comments
14 Likes
Statistics
Notes
  • Explained clearly. Nice job.

    Roy Jan
    http://be.freepolyphonicringtones.org/ http://dk.freepolyphonicringtones.org/
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Great display. I've taken some of the structure graphics together with adapted to my startup
    Teisha
    http://dashinghealth.com http://healthimplants.com
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
4,851
On SlideShare
0
From Embeds
0
Number of Embeds
85
Actions
Shares
0
Downloads
0
Comments
2
Likes
14
Embeds 0
No embeds

No notes for slide

Security Awareness in the Enterprise

  1. 1. Security Awareness in the Enterprise Jacob D. Furst Jean-Philippe Labruyere 22 March 2006
  2. 2. Four Levels of the Enterprise <ul><li>End users </li></ul><ul><li>Technical and security staff </li></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>Management </li></ul><ul><li>“The Boardroom” </li></ul><ul><li>What did we miss? </li></ul>
  3. 3. End Users <ul><li>Regular “security awareness lunches” </li></ul><ul><li>Security policy agreements </li></ul><ul><ul><li>Human Resources </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><li>Email campaigns </li></ul><ul><li>Mock attacks </li></ul><ul><li>Create a culture of security awareness </li></ul><ul><li>What do you do? </li></ul>
  4. 4. Security Lunches <ul><li>Security brown bags </li></ul><ul><li>Regularly scheduled seminars </li></ul><ul><li>Invited speakers </li></ul>
  5. 5. Security Policy <ul><li>Make time for employees to read </li></ul><ul><li>Expect end-users to read </li></ul><ul><li>Have them sign it initially and annually (maybe as part of annual benefit enrollment) </li></ul><ul><li>Make policies readable and consistent with organizational culture </li></ul><ul><li>Make enforcement explicit </li></ul><ul><li>Keep this alive – if policy changes, start from the top </li></ul>
  6. 6. Email Campaigns <ul><li>An email a day keeps the hacker away </li></ul><ul><li>Use other common venues </li></ul><ul><ul><li>Bulletin boards </li></ul></ul><ul><ul><li>Paychecks </li></ul></ul><ul><ul><li>Intranet log-on </li></ul></ul><ul><li>Don’t spam – overexposure can be counter-production </li></ul>
  7. 7. Mock Attacks <ul><li>Ask all employees to send current information over email… </li></ul><ul><li>Send email from manager with suspicious attachment… </li></ul><ul><li>Send email from well known (and liked) employee with suspicious link… </li></ul>
  8. 8. Culture of Security Awareness <ul><li>Make security explicit </li></ul><ul><li>Reward good security habits </li></ul><ul><li>Lead by example </li></ul><ul><ul><li>Yourself </li></ul></ul><ul><ul><li>Your boss </li></ul></ul><ul><ul><li>Solicit help from end-users themselves </li></ul></ul>
  9. 9. Technical and Security Staff <ul><li>Regular presentations </li></ul><ul><ul><li>Increase awareness with end users </li></ul></ul><ul><ul><li>Makes staff accessible </li></ul></ul><ul><li>Make reporting incidents easy </li></ul><ul><li>Technical training </li></ul><ul><li>Compliance training </li></ul><ul><li>Education </li></ul><ul><li>How else to increase their expertise? </li></ul>
  10. 10. Presentations <ul><li>Get your security people to mix </li></ul><ul><ul><li>With end-users </li></ul></ul><ul><ul><li>With project planners </li></ul></ul><ul><ul><li>With management </li></ul></ul><ul><li>If employees know who the security people are, they are already buying in </li></ul>
  11. 11. Make Reporting Easy <ul><li>Starts with security policy </li></ul><ul><li>Provide multiple avenues </li></ul><ul><ul><li>Paper </li></ul></ul><ul><ul><li>Verbal </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Internet </li></ul></ul><ul><ul><li>Anonymous </li></ul></ul><ul><li>Recognize effective use of reporting </li></ul>
  12. 12. Technical Training <ul><li>Plethora of certifications </li></ul><ul><li>Encourage membership in professional societies </li></ul><ul><li>Recommend readings from journals, newspapers, the web </li></ul><ul><li>Expect it and recognize it </li></ul>
  13. 13. Compliance Training <ul><li>These people will likely implement it, they need to understand it </li></ul><ul><li>Can you legal department handle it? </li></ul><ul><li>Are their opportunities to outsource? Do you trust them? </li></ul>
  14. 14. Education <ul><li>Big investment </li></ul><ul><li>Use as a reward </li></ul><ul><li>Strategic decision to empower long-term thinking about security </li></ul>
  15. 15. Management <ul><li>Compliance training </li></ul><ul><li>Legal and technical seminars </li></ul><ul><li>Incorporate security in business processes </li></ul><ul><li>Instill a culture of information security ethics </li></ul><ul><li>What more can you do? </li></ul>
  16. 16. Compliance Training <ul><li>Can you do this in house? </li></ul><ul><li>Who are the recognized and respected names in your business? </li></ul><ul><li>How does compliance impact business processes with respect to security? </li></ul>
  17. 17. Legal and Technical Seminars <ul><li>May be done in-house </li></ul><ul><ul><li>Legal department </li></ul></ul><ul><ul><li>Security personnel </li></ul></ul><ul><li>Many opportunities for outsourcing </li></ul><ul><li>Expect it of managers and recognize them for doing it </li></ul>
  18. 18. Incorporate Security <ul><li>Security as an band-aid will fall off in the shower </li></ul><ul><li>A “non-functional” requirement, but a requirement none-the-less </li></ul><ul><li>Work with project managers to make security part of the project </li></ul>
  19. 19. Instill a Culture of Ethics <ul><li>“Do what I say, not what I do,” just won’t work </li></ul><ul><li>Most difficult part of being a leader – you must live the result you want </li></ul><ul><li>Ethics is the only thing that separates the white hats from the black hats </li></ul><ul><li>Ethics can be taught! </li></ul>
  20. 20. The Boardroom <ul><li>What can you do? </li></ul>
  21. 21. The Boardroom <ul><li>Money talks </li></ul><ul><li>Find a champion </li></ul><ul><li>Get them involved </li></ul><ul><li>Make legal implication explicit </li></ul><ul><li>Organizational culture is defined here </li></ul>
  22. 22. Money Talks <ul><li>Risk assessment </li></ul><ul><li>Security must pay for itself </li></ul><ul><li>Security is a recurring budget item, not an expense </li></ul><ul><li>“Amortizing” the cost of security may help </li></ul>
  23. 23. Find a Champion <ul><li>Is anyone in upper management a technophile? </li></ul><ul><li>Security savvy? </li></ul><ul><li>Forward thinking? </li></ul><ul><li>Find this person and groom… </li></ul>
  24. 24. Get Them Involved <ul><li>Look for ways to get upper level management involved in security </li></ul><ul><li>Have them send the “suspicious” email </li></ul><ul><li>Have them recognize good security efforts </li></ul><ul><li>Solicit feedback on policies </li></ul>
  25. 25. Legal Implications <ul><li>International, national, state, and municipal laws </li></ul><ul><li>Standards of conduct </li></ul><ul><li>Reasonable expectations of care </li></ul><ul><li>Consequences of non-compliance </li></ul>

×