According to the European Network and Information Security Agency, "Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks." Yet, given the number of data security incidents reported in the press recently that can be put down to human error or fallibility, it is clear that awareness of security issues is still not as widespread as it could be. Governments are trying to address issues of awareness among the general public with initiatives such as www.getsafeonline.com from the UK providing an example of a website offering security awareness tips for the public. Also in the UK, lessons in safe use of the internet will become a compulsory part of the primary school curriculum from 2011 onwards in England to inculcate awareness of security issues among schoolchildren from a young age.
Initiatives such as these are needed and will be vital in protecting citizens in the future. However, too few of today's employees have benefited from any education in security and even computer science courses are only just beginning to incorporate an element of security. Because of this, security training needs to be a core part of business education programmes provided to employees. And providing security awareness training to employees will help to safeguard organisations from damage resulting from security incidents, but will also help them to ensure that they are in compliance with any number of industry standards and government regulations that they face as many demand that security awareness training is provided to employees, ranging from data protection acts to the Payment Card Industry Data Security Standards.
It is often said that business is all about people, process and technology. When looking at security, virtually every organisation deploys some sort of security technology to safeguard their business from attack, with anti-virus tools and firewalls almost ubiquitously used. Most also define processes that govern how the business runs, backed up by policies that outline procedures that must be followed and the behaviour that is expected of employees. But people are fallible, and just providing a policy does not guarantee that employees have read it, or, more importantly, understand its provisions.
In order to ensure that policies are adhered to, there are two essential elements required--communication and awareness. This is where automated tools come into play as an addition to training programmes. Such tools aid in the creation, review and publishing of policy documents, with the system being capable of sending out the resulting policy to all employees electronically, providing notifications for management and audit purposes when each user has read the policy. But that does not ensure that they have taken in and understood all elements of the policy and the behaviour that is expected of them.
To aid in this process, automated policy compliance tools are available on the market that provide e-learning, testing and evaluation modules to ensure that employees read and understand what behaviour is expected of them according to the provisions of the policy. This can include the use of security controls such as encryption of data on all portable devices to guard against data theft, the need to keep security applications such as anti-virus tools updated with the latest defences, or the imperative to never give their passwords or personal information out without validating who it is asking for that information, and why.
Such tools use libraries of questions that aim to educate employees about the provisions set and the behaviour expected of them, which can be used to test their level of knowledge and to ascertain whether or not further awareness training is required. Users can take the courses and tests at times set by the organisation, or can complete them in their own time, with notifications sent to their managers when courses have been successfully completed. Automation of such tasks also allowed an audit trail to be generated that can be used to prove that policies have been adequately communicated and that users understand their provisions.
The role of employee awareness of security is not being lost on organisations today, many of which have implemented training programmes for all their employees in recent months. However, most such programmes lack any way of ensuring that the training is effective and that employees really understand what is required of them. With cost control an issue for all today, a means must be found of making that training as efficient, cost-effective and reliable as possible. Since awareness is the fist line of defence against the security threats that we face today, only by using automated tools that can audit the effectiveness of programmes and can ensure that no employees have missed out on training can organisations be sure that their defences are adequately manned.
Further details on this subject can be found by clicking on this link: The human element of compliance.
By Fran Howarth, Senior analyst, Bloor Research