Enforcing user awareness with IT security awareness training, policy

Every security pro grows up with the mantra 'people, process and technology'. Current thinking even goes so far as to say that over-reliance on technology is causing many of our problems, and that training users in security awareness is the best way to go. I strongly disagree.

Even the best trained user will have lapses of attention and make mistakes. Well trained but disgruntled employees with the right credentials may cause huge damage unless you have a way of stopping them.

So forget users, they'll always let you down, and focus on your processes, technology and policy.

With a well-formed security awareness policy and the technology to enforce it, you can stop stupid, tired or evil users from causing you damage.

Someone tries to copy the customer file on to an iPod? You stop them and send an alert to the boss. Someone tries to open an email attachment from an unknown source? You either stop them, or get someone else to OK it before you allow it. Someone starts sending attachments to their Skype buddies? Just block them. All these rules can be enforced in technology very simply.

Systems that rely on users behaving well are like those poorly-maintained houses where you have to jiggle the lock on the door to make it work, and remember not to lean too hard on the shelf in case it collapses. Just as someone will eventually lean on that shelf and break it, a system user will open a dodgy email attachment or copy confidential files on to a laptop or USB stick.

So why don't we lock down systems properly already?

Well, to have a security awareness policy you have to think about what's allowed and prohibited. To do it properly, that means people in the business sitting down with the IT security team and going through their processes. And that's boring.

So how about this? Even if you can't work up the energy to do a full-blown, detailed and granular security awareness policy to cover every eventuality, you can still set down a few general do's and don'ts.

For instance, some of the largest security breaches in recent years (Choicepoint in the U.S., HM Revenues & Customs in the U.K.) have resulted from backup tapes or disks going astray in the mail. So why not start by ensuring that any file transfers occur over a secure communications link? In any case, why would any organisation copy valuable data on to a tape and hand it over to a bloke with a van? Probably because that's the way they've always done it – which is one good reason to conduct regular reviews of procedures.

Data leakage prevention is also top of everyone's list at the moment, but do you really want to protect (or encrypt) every piece of data? Of course not.

If full-scale data classification fills you with dread or boredom, then just come up with half a dozen types of data that you really want to protect at all cost – customer details, bank account details, credit card numbers come to mind – and focus your efforts on them alone. And make sure the HR files are properly protected too – they are a potential source of data privacy problems.

By all means, do IT security awareness training too. It's cheap and it helps to create a secure ethos. But for heaven's sake don't rely on it to stop breaches happening.

Read more on Regulatory compliance and standard requirements