|
Nothing circumvents pricey defense-in-depth faster than people; educating workers about security is essential.
It's one of the hardest jobs a security officer has: teaching users about security. How do you grab an employee's attention during a busy workday? How do you get them to remember, let alone listen, about the need to create strong passwords and to be cautious when opening email attachments?
To deal with this dilemma, Lynne Pizzini pulls out her bag of tricks--literally. In training presentations at Blue Cross and Blue Shield of Montana, she incorporates magic. One of her tricks uses colored scarves to illustrate the importance of strong passwords and the different elements that go into them; the result is a single, multi-colored scarf.
Another trick aims to get employees to understand that they, with all their access to data, pose the greatest security risk. Pizzini displays cards that illustrate seven security risks discussed in the presentation and shuffles them face down, however many times a participant indicates. Then Pizzini spells out "right" by flipping one card for each letter of the word (indicating that employees always want to do what's right); the "employees" card always appears as the letter "t" is reached.
Pizzini, security and privacy official at Blue Cross, says she found magic effective when she first used it a couple of years ago in a series of presentations to the health insurer's 700 employees. Afterward, employees told her they remembered her trick. "It was awesome for me to discover that it actually works," she says.
Pizzini's method may be unique, but organizations are using everything from online tutorials, newsletters, MP3s and prizes to get the security message across to their rank and file, all in an effort to protect themselves from the perennial weakest link: people. While companies spend tens of thousands of dollars on security technologies such as firewalls and access controls, their employees can undercut those defense mechanisms by sharing passwords, falling for social engineering scams, or just not being aware of corporate security policies (see "10 Best Practices," below).
 |
|
|
|
|
|
|
|
|
|
|
|
|
10 BEST PRACTICES
The University of California, Santa Cruz uses this list as a key part of its information security awareness training program.
- Use cryptic passwords that can't be easily guessed--and protect your passwords.
- Be cautious when using the Internet.
- Practice safe emailing.
- Secure your area before leaving it unattended.
- Secure your laptop computer at all times; keep it with you or lock it securely before you step away.
- Shut down, lock, log off of or put your computer to sleep before leaving it unattended, and make sure it requires a password to start up or wake up.
- Make sure your computer is protected with antivirus and all security patches and updates, and that you know what you need to do, if anything, to keep them current.
- Don't keep sensitive information or your only copy of critical data, projects, files, etc., on portable devices (such as laptop computers, CDs/floppy disks, memory sticks, PDAs and data phones) unless they are properly protected.
- Don't install unknown or unsolicited programs on your computer.
- Make backup copies of files or data you are not willing to lose--and store the copies very securely.
The detailed list is available at http://its.ucsc.edu/security_awareness/top10.php.
|
|
|
|
|
|
|
|
|
