Security Awareness in the Enterprise


Published on

Security Awareness in the Enterprise

Published in: Technology, Education
  • Explained clearly. Nice job.

    Roy Jan
    Are you sure you want to  Yes  No
    Your message goes here
  • Great display. I've taken some of the structure graphics together with adapted to my startup
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Awareness in the Enterprise

  1. 1. Security Awareness in the Enterprise Jacob D. Furst Jean-Philippe Labruyere 22 March 2006
  2. 2. Four Levels of the Enterprise <ul><li>End users </li></ul><ul><li>Technical and security staff </li></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Audit </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><li>Management </li></ul><ul><li>“The Boardroom” </li></ul><ul><li>What did we miss? </li></ul>
  3. 3. End Users <ul><li>Regular “security awareness lunches” </li></ul><ul><li>Security policy agreements </li></ul><ul><ul><li>Human Resources </li></ul></ul><ul><ul><li>Legal </li></ul></ul><ul><li>Email campaigns </li></ul><ul><li>Mock attacks </li></ul><ul><li>Create a culture of security awareness </li></ul><ul><li>What do you do? </li></ul>
  4. 4. Security Lunches <ul><li>Security brown bags </li></ul><ul><li>Regularly scheduled seminars </li></ul><ul><li>Invited speakers </li></ul>
  5. 5. Security Policy <ul><li>Make time for employees to read </li></ul><ul><li>Expect end-users to read </li></ul><ul><li>Have them sign it initially and annually (maybe as part of annual benefit enrollment) </li></ul><ul><li>Make policies readable and consistent with organizational culture </li></ul><ul><li>Make enforcement explicit </li></ul><ul><li>Keep this alive – if policy changes, start from the top </li></ul>
  6. 6. Email Campaigns <ul><li>An email a day keeps the hacker away </li></ul><ul><li>Use other common venues </li></ul><ul><ul><li>Bulletin boards </li></ul></ul><ul><ul><li>Paychecks </li></ul></ul><ul><ul><li>Intranet log-on </li></ul></ul><ul><li>Don’t spam – overexposure can be counter-production </li></ul>
  7. 7. Mock Attacks <ul><li>Ask all employees to send current information over email… </li></ul><ul><li>Send email from manager with suspicious attachment… </li></ul><ul><li>Send email from well known (and liked) employee with suspicious link… </li></ul>
  8. 8. Culture of Security Awareness <ul><li>Make security explicit </li></ul><ul><li>Reward good security habits </li></ul><ul><li>Lead by example </li></ul><ul><ul><li>Yourself </li></ul></ul><ul><ul><li>Your boss </li></ul></ul><ul><ul><li>Solicit help from end-users themselves </li></ul></ul>
  9. 9. Technical and Security Staff <ul><li>Regular presentations </li></ul><ul><ul><li>Increase awareness with end users </li></ul></ul><ul><ul><li>Makes staff accessible </li></ul></ul><ul><li>Make reporting incidents easy </li></ul><ul><li>Technical training </li></ul><ul><li>Compliance training </li></ul><ul><li>Education </li></ul><ul><li>How else to increase their expertise? </li></ul>
  10. 10. Presentations <ul><li>Get your security people to mix </li></ul><ul><ul><li>With end-users </li></ul></ul><ul><ul><li>With project planners </li></ul></ul><ul><ul><li>With management </li></ul></ul><ul><li>If employees know who the security people are, they are already buying in </li></ul>
  11. 11. Make Reporting Easy <ul><li>Starts with security policy </li></ul><ul><li>Provide multiple avenues </li></ul><ul><ul><li>Paper </li></ul></ul><ul><ul><li>Verbal </li></ul></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Internet </li></ul></ul><ul><ul><li>Anonymous </li></ul></ul><ul><li>Recognize effective use of reporting </li></ul>
  12. 12. Technical Training <ul><li>Plethora of certifications </li></ul><ul><li>Encourage membership in professional societies </li></ul><ul><li>Recommend readings from journals, newspapers, the web </li></ul><ul><li>Expect it and recognize it </li></ul>
  13. 13. Compliance Training <ul><li>These people will likely implement it, they need to understand it </li></ul><ul><li>Can you legal department handle it? </li></ul><ul><li>Are their opportunities to outsource? Do you trust them? </li></ul>
  14. 14. Education <ul><li>Big investment </li></ul><ul><li>Use as a reward </li></ul><ul><li>Strategic decision to empower long-term thinking about security </li></ul>
  15. 15. Management <ul><li>Compliance training </li></ul><ul><li>Legal and technical seminars </li></ul><ul><li>Incorporate security in business processes </li></ul><ul><li>Instill a culture of information security ethics </li></ul><ul><li>What more can you do? </li></ul>
  16. 16. Compliance Training <ul><li>Can you do this in house? </li></ul><ul><li>Who are the recognized and respected names in your business? </li></ul><ul><li>How does compliance impact business processes with respect to security? </li></ul>
  17. 17. Legal and Technical Seminars <ul><li>May be done in-house </li></ul><ul><ul><li>Legal department </li></ul></ul><ul><ul><li>Security personnel </li></ul></ul><ul><li>Many opportunities for outsourcing </li></ul><ul><li>Expect it of managers and recognize them for doing it </li></ul>
  18. 18. Incorporate Security <ul><li>Security as an band-aid will fall off in the shower </li></ul><ul><li>A “non-functional” requirement, but a requirement none-the-less </li></ul><ul><li>Work with project managers to make security part of the project </li></ul>
  19. 19. Instill a Culture of Ethics <ul><li>“Do what I say, not what I do,” just won’t work </li></ul><ul><li>Most difficult part of being a leader – you must live the result you want </li></ul><ul><li>Ethics is the only thing that separates the white hats from the black hats </li></ul><ul><li>Ethics can be taught! </li></ul>
  20. 20. The Boardroom <ul><li>What can you do? </li></ul>
  21. 21. The Boardroom <ul><li>Money talks </li></ul><ul><li>Find a champion </li></ul><ul><li>Get them involved </li></ul><ul><li>Make legal implication explicit </li></ul><ul><li>Organizational culture is defined here </li></ul>
  22. 22. Money Talks <ul><li>Risk assessment </li></ul><ul><li>Security must pay for itself </li></ul><ul><li>Security is a recurring budget item, not an expense </li></ul><ul><li>“Amortizing” the cost of security may help </li></ul>
  23. 23. Find a Champion <ul><li>Is anyone in upper management a technophile? </li></ul><ul><li>Security savvy? </li></ul><ul><li>Forward thinking? </li></ul><ul><li>Find this person and groom… </li></ul>
  24. 24. Get Them Involved <ul><li>Look for ways to get upper level management involved in security </li></ul><ul><li>Have them send the “suspicious” email </li></ul><ul><li>Have them recognize good security efforts </li></ul><ul><li>Solicit feedback on policies </li></ul>
  25. 25. Legal Implications <ul><li>International, national, state, and municipal laws </li></ul><ul><li>Standards of conduct </li></ul><ul><li>Reasonable expectations of care </li></ul><ul><li>Consequences of non-compliance </li></ul>