Every so often a story appears identifying users, and the overall lack of computer security awareness or even plain common sense sometimes, as the weakest link in the network security chain.
With just a little social engineering, an attacker can trick a user into surrendering his username or password. Studies have been done where users were given CDs on their way to work or picked up USB keys that were planted where they could be found. These users take them into work where many of them will run them on or connect them to their work PC's without considering what sort of malware could be contained on them.
A simple trick like that can get malicious software past the external firewalls, gateway antivirus and every other line of defense you have in place. It is important to keep users informed about threats and common sense security practices so that they are not such easy targets. By making computer security awareness a part of everyday culture, you will help remove some of the mystique or confusion and help users to better protect company data and network resources.
Here are a few things you can do to raise security awareness among users:
- Lead by example: Employees are not very good at the "do as I say, not as I do" mantra when it comes to computer and network security. It is important for executive management and the managers and technicians within the IT department to adhere to the same security rules as the rest of the users.
- Education: Many companies have annual security awareness training. Often though, users read and retain just enough to prove they took the training and check the box on their employee records until next year. Consider ways to make the information valuable to the user, like how they can secure their home computers. Users may not care as deeply about the company network, but if you educate them on what is relevant to them when they are using their home computers, they are more likely to retain and apply the lesson.
- Make security a culture, not an event: Security is a concern every day. New technologies and new threats emerge constantly and it is important for users to remain aware of the current threats and maintain a level of common sense and guarded caution when it comes to potential attacks. When security awareness is just an annual task that takes an hour or two, it gives users the sense that they only need to be concerned one day a year. Try to make computer security and security awareness a more regular part of everyday work. Use a weekly newsletter sent by email, or a tip of the day posted on the company intranet site to demonstrate to users that security is always an issue. Keep the concept fresh in their minds throughout the year.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of security tips, advice, reviews and information. Tony is co-author of Hacker's Challenge 3 and the author of the upcoming Essential Computer Security. He contributes frequently to other industry publications. For a complete list of his freelance contributions, visit S3KUR3.com.
This was first published in June 2006