Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. To do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.
This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.
The problem with policies alone
Companies are learning that they need to have policies in place that establish top management support for security initiatives. However, many of these policies lack effectiveness because end users have no knowledge of them, or they do not care. Companies need to take the next step and educate users on the policies. A study by the Ponemon Institute found that 58% of those surveyed said their employer did not provide adequate security awareness training. This figure clearly identifies where improvements are necessary.
Awareness of the policies needs to address why the policy is important to the users. Many policies require users to take additional steps that may slow or impede the work they do. At the bare minimum, security policy adherence will require users to change their routines. Users will not be motivated to change their habits, and they will resist attempts to impede their work unless they understand how these policies benefit them.
Users need to be brought “on board” so that they agree with the policy and are motivated to comply with it. The first part of this initiative is to educate users on the value of the information they possess and the importance of their position within the company. The second step is to show them how this information can be compromised and finally, how they can protect that information by adhering to the policy.
Awareness research findings
Current research has identified some concerning statistics in regards to insecure employee practices. The table below summarizes a portion of the results from a recent Ponemon survey and shows areas where security awareness is lacking.
|Routine actions performed by users||Percentage|
|Storing data on insecure mobile devices||61%|
|Downloading Internet applications on workplace computers||53%|
|Using web-based personal email in the office||52%|
|Divulging passwords to others||47%|
|Losing equipment with privileged or confidential data||43%|
These five activities were routinely performed by roughly half of those surveyed. Each activity is potentially harmful to a company. Storing data on insecure mobile devices could allow unauthorized individuals access to company data if those devices were stolen. The last item in the table above shows that equipment containing privileged or confidential data is routinely lost. This would expose the company to potential privacy litigation, a loss of reputation, or a loss of competitive position in the marketplace if the data contained trade secrets, proprietary processes, or customer lists.
The downloading of Internet applications could infect company computers with malware including rootkits, Trojan horses, viruses, and backdoors into enterprise systems. These applications can also cause incompatibilities with supported software making it difficult for employees to perform their jobs. Many employees are aware of how easy it is to make a computer unusable by downloading software from the Internet as the practice is very prevalent for home users. Awareness programs should educate users on how downloading Internet applications can impact their ability to perform their job.
Using personal web-based email in the office brings risks similar to downloading applications. Awareness programs should educate users on how using web-based email can impact their ability to perform their job. Many attacks are email based, and while organizational email is often screened by equipment to filter out malicious email, web based email may not be as secure.
Divulging passwords to others gives them the ability to perform any action the user can perform. This could make it appear that the user who shared his or her password committed crimes or misused their authority. Users who are aware of this may be less likely to share their passwords with others. Awareness programs can stress that even if another person is trusted, they may not adequately protect a username or password allowing it to fall into a malicious user’s hands. Passwords should not be shared with even trusted users. For more information, see the article “Guidelines for Username and Password Risk Management.”
As can be seen from this data, users routinely take actions that could be harmful to organizational information systems. Many companies already have policies that restrict such activities, but users are unaware of them as is reflected in the low rating of awareness training. Until users know of the policy and are motivated to follow it, trends like these will continue, and organizations will still be vulnerable. It is imperative that users be educated on the role of policy and be motivated to adhere to these policies once they are established.