We all pay lip service to the idea that data security is the collective responsibility of all staff, not just something that can safely be left to the good offices of the IT department. But what can and should organisations do to convince and empower all IT users to play an active part in protecting the data that are the lifeblood of a modern enterprise?
First of all, as always, your starting point is risk assessment. When you can identify the weak spots in your technical and administrative infrastructure, you can start reducing the attack surface - the volume of exposure. In principle, that applies as much to psychological exposure as it does to coding vulnerabilities.
Formulate, codify and enforce boundaries (using policies, standards, and protocols), and make sure that your workforce understands why they’re there, and what is expected of them: from experience, people are better at complying with requirements they understand.
At one time, social engineering wasn’t just a technique used by the bad guys for tricking people into situations where they were vulnerable to exploitation - it was a value-free sociological term that could just as well be applied to steering society into behaviour that was thought to be advantageous to the community as well as to governments or educationalists. It’s perfectly reasonable for enterprises to attempt some (counter-) social engineering (in the educational sense rather than the “people hacking” sense). Educate your workface into being resistant to criminal psychological manipulation. You don’t have to (and indeed can’t) teach users to become security experts, or make them all qualified firewall administrators or penetration testers, but teaching them a healthy dose of security scepticism and hygiene will pay dividends.
Google and Facebook are not always your friends. The commoditisation of the user as a source of sellable information may be legitimate and perhaps even in some respects a Good Thing, in a social sense. However, it’s not particularly good for the employer when staff have a problem separating their computing activities at home from what they do at work: train them to keep their work lives and social lives separate.
It's not about advocating a return to the old days of banning all personal phone calls/e-mail/whatever on work time (though that can make security management easier in some respects), but some form of partitioning between sensitive or critical internal systems and personal transactions does reduce the risk of a personal compromise turning into a workplace crisis. On the other hand when you do that training in security hygiene, you can actually mitigate that risk even further by giving them the means to translate those lessons into their home experience of online life. In doing so, teach them also to be mindful of the risk from targeted attacks - advanced persistent threats, spear-phishing and so on - that are clearly intended to exploit the individual as an entry point into the target organisation.
Don’t restrict your consideration to the users: various levels of your management and your IT unit need to be on the same page. In particular, the IT team needs to be on board with the idea of making security a positive experience and an exercise in constructive compromise between business need and security imperatives. And finally, invest in technical training wherever it’s called for - and audit, audit, audit.
This was first published in November 2011