Community EffortBy Bob Violino | Posted 2012-03-13 Email Print
Enterprises need to deploy a layered defense and make data protection everyone’s business.
Another key component of effective corporate security strategies is to involve the entire organization in the effort to protect systems and data.
“Everyone should be involved in security, because not all threats will be preventable” by using software alone, ICSA Labs’ Thompson says. “There are also physical threats, and social engineering, where someone will call on the phone—perhaps pretending to be from the helpdesk or trying to get the victim to share his user ID and password. Software can’t help in those situations, but education, training and awareness can.”
Adds Tipton of ISC², “there is no way any security solution has a chance of protecting our computing environment without all levels of education and skills applied across the enterprise.”
Organizations should think about security in terms of process, people and technology, says Kevin Curran, head of the School of Computing and Intelligence Systems at the University of Ulster, in the United Kingdom. “This will involve creating security policies with internal departments, performing audits, implementing physical security control and classifying risk.”
The University of Georgia, including the Small Business Development Center, requires that all employees partake in an annual security training program that was developed in-house. “Because of this requirement, the end user’s baseline understanding of security is increased, and terminology is better understood,” Lanard says.
Employees are given a choice of either watching six videos about security practices or taking an extensive test that covers multiple facets of security, including how to avoid threats such as computer viruses and phishing attacks. The program was launched about three years ago and has helped make all university employees more aware of security threats and how to protect against them, Lanard says.
Redwood Credit Union has mandatory security training at new employee orientations, annual security training updates and validation. The company practices standard password rotation for employees, tests for social engineering, and also performs penetration and controls testing.
“We have ad-hoc alert response teams that are called for any indication of a potential breach of any level of security,” Hildesheim says. “At a previous organization, we had an enterprise risk management team that consisted of key leaders from every major operational area that met monthly to review security issues and set security standards. We have not instituted that at this organization yet, but it’s something that’s worth the effort and will be established in the coming year.”
Redwood also has an education and awareness campaign for its customers. “This is critical in assisting them in maintaining privacy,” Hildesheim says. “To further support this effort, we have strict practices in our use of email and links in emails with our consumers.”
At Active Interest Media, “We mainly try to educate users via educational emails, short videos and posts to our help desk Website,” Saenz says. “In many ways, employees are the biggest threat to security because they already have physical access. A bad click or two is all it takes sometimes.”
Because of this, the company makes an effort to get the word out about “thinking before you click” and setting up community sections of its internal help desk Website for discussions and threads pertaining to smarter, safe computing.
“I think our work is paying off,” Saenz says. “We have never been hit with a major companywide breach. There have been minor malware attacks, but nothing that would be considered show-stopping.”