WHITE PAPER: SECURITY AWARENESS PROGRAM. Creating a Security Savvy Workforce

Transcription

1 WHITE PAPER: SECURITY AWARENESS PROGRAM Creating a Security Savvy Workforce

2

3 White Paper: Symantec Security Awareness Program Creating a Security Savvy Workforce Contents Executive summary Ensuring a secure organization Employees often directly impact the organization s security Building a foundation of awareness Begin with the current environment Selling security awareness: How much is your security worth? Designing an effective security awareness program Identify audiences and define objectives Create meaningful content Implementing the program Measuring program effectiveness Key indicators of changes in behavior Symantec Security Awareness Solutions Conclusion

4 Executive summary Because solid information security practices are built on technology, policies, and people, even the best security policies and procedures and state-of-the-art technology can be undermined by lack of employee awareness. A security awareness program that includes training, education, and communication at all levels of the organization can help employees learn how to proactively protect information assets. This paper explains how employees impact an organization s security and how to communicate with upper management about the necessity and value of a security awareness program in addressing security issues. Next the paper provides an overview of steps to develop, implement, and measure the effectiveness of a security awareness program. Finally, the paper explains how Symantec Professional Services can help organizations design and develop such a program, while the Symantec Security Awareness Program, a comprehensive set of computer-based training and communications tools, can help train employees to ensure program effectiveness. Ensuring a secure organization Most organizations implement a number of positive measures to secure their network. These steps may include deploying state-of-the-art technology, creating stringent policies and procedures, and assigning IT staff to manage these policies. Yet in spite of these efforts, many organizations information assets may not be secure as they should or could be. The fact is that in today s interconnected marketplace and global economy, information assets are at a greater risk than ever before, as threats are more lethal than they were in the past 1. Risk management and due diligence requires that organizations reduce security vulnerabilities to drive down the amount of time and money spent to recover from security incidents, while also ensuring valuable information is protected. At the same time, compliance with regulatory requirements is of growing importance, as a failure to comply may result in financial and legal liabilities, lost business, and a decline in customer confidence. To better protect themselves from such losses, most organizations have deployed a variety of security technology solutions in conjunction with security policies and procedures. But the effectiveness of even the best technology and procedures is limited if employees do not understand their role in securing the organization s information assets. 1 Ernst & Young, Global Information Security Survey

5 Employees often directly impact the organization s security Many of the strongest security technologies and policies are evaded not by experienced hackers, but by unaware or untrained employees. Common internal causes of security vulnerabilities include poor password protection, failure to update protection software, failure to scan files, inappropriate on-the-job Web surfing and file downloading, and social engineering. The impact of these vulnerabilities leaves the network exposed and the organization vulnerable to exploitation, attack, and loss of proprietary information. These security gaps also can prompt a high rate of virus infection (and re-infection), along with a reduction in available network bandwidth. Ultimately, all of these translate into lost productivity due to down time and increased costs to repair programs and replace lost or stolen equipment. Table 1: Employees directly impact security Examples of Inappropriate Employee Behavior Poor password protection Failure to maintain positive control of laptops and PDAs Lax telephone security Inability to appropriately respond to social engineers or fraudulent actors Failure to update virus protection software and scan files Launch attachments Surf Web and download files from Internet Potential Operational Impact More open to network attack Loss of proprietary information; costs to replace equipment High costs from telephone fraud Vulnerable to exploitation and attack High rate of virus infection; lost productivity due to down time High rate of virus re-infection Reduced network bandwidth; loss of worker productivity When it comes to information security, people are just as important as security technology, policies, procedures, and guidelines. With a full understanding of policies and procedures and their importance, employees can actually strengthen an organization s security posture. In fact, with proper planning and training, employees can become an organization s strongest line of defense. Building a foundation of awareness A security awareness program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization s information through proactive, security-conscious behavior. To successfully protect information assets, employees at every level from the top down need a basic understanding of security policies as well as their respective responsibilities in protecting these assets. Without this understanding, organizations cannot hold employees accountable for protecting the organization s resources and ultimately, its profitability. 3

6 To be effective, a security awareness program must be ongoing and include continuous training, communication, and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape. The key messages, tone, and approach must be relevant to the audience and consistent with the values and goals of the organization. Equally important, an awareness program must influence behavior changes that deliver measurable benefits. Begin with the current environment One of the most overlooked, yet significant, steps in creating an effective employee security awareness program is an assessment of existing security practices and employees level of security awareness. Organizations must evaluate their current environment and determine if there are any security awareness problems or particular needs to address. For example, are there specific security requirements associated with remote worker or mobile devices, or other special circumstances that will require extra security attention? Organizations must also determine how new employees are trained, if they understand how to properly operate their computer equipment, and how well they understand existing security policies. Answers to the following three key questions will provide the critical information needed to create a security awareness program: Is there a security policy that is enforced across the entire organization? What are the practices and technologies in place that can help detect a security breach? Do employees know what to do if they detect a security violation? The answers to these questions can help organizations set high-level objectives for the awareness program. Ideally, these objectives should be aligned with the organization s overall goals. To ultimately measure the success of these objectives, current security practices should be benchmarked. For instance, how long does it take to crack employee passwords and how frequently do virus re-infections occur throughout the organization? In addition to helping measure program effectiveness, collecting these benchmarks at the outset will help establish quantifiable objectives for the program. For example, a good employee awareness program objective might be: within three months, no employee password should be cracked in less than 30 seconds. 4

7 Selling security awareness: How much is your security worth? Before development of the employee security awareness program begins, senior management must understand and fully support it. Without upper management s endorsement and support, the program is prone to failure if management does not take security seriously, the organization s general population will likely not do so either. An effective approach to selling a security awareness program to senior management is to focus on the bottom line, by demonstrating how a comprehensive security awareness program not only will protect the organization s resources, but will also help ensure regulatory compliance, and improve productivity and profitability in the long run. Hard facts will almost certainly help management understand the importance of security policies and training, and should be included in any security awareness proposal. As part of the cost/benefits analysis, the security administrators spearheading the project should research various employee education solutions and calculate costs, including all resource and time requirements. If possible, they should include an estimate of how much money the organization loses each year due to security breaches. These costs may be associated with Web downtime, lost information, fraudulent telephone use, loss of employee productivity, or liability if information is stolen or unusable for a certain amount of time. Once these costs are understood, it becomes easier to demonstrate how implementation of a strong security awareness program can lead to reductions in these losses. As soon as managers see the program s potential value, they are more likely to actively support security awareness programs and initiatives aimed at maintaining and enforcing security policies. When outlining an awareness program to upper management, program champions need to identify key stakeholders throughout the organization. These may include managers from human resources, training, internal communications, operations, public relations, legal, and physical and IT security. Clearly presenting the value of an employee security awareness program to these different stakeholders helps demonstrate a compelling case that speaks to the operational needs of each interested party and considers not only the intrinsic value of the organization s information, but also the benefits of protecting that information with a security-savvy workforce. An effective awareness program can provide value as part of an organization s regulatory compliance, information security, and risk strategy. It also provides a competitive edge by effectively addressing any internal weaknesses. While the business case to management should make it clear that information security incidents are indeed damaging, it should also emphasize that employees can help prevent many of these vulnerabilities. 5

8 Designing an effective security awareness program To design the program, the program coordinator should enlist the input and participation of a broad cross-range of personnel, such as those from IT and physical security, training, HR and legal, and marketing and internal communications. This task force will develop unique content and delivery strategies for executives, middle management, IT and information security staff, and general employees, and determine the scope and design of the program with behavioral change in mind. Based on information obtained from the audit of communication needs for various employee groups, the task force can establish core content topics that address the most significant security challenges. Designing the program requires the development of a significant amount of documentation, including: A high-level charter that explains the program s objectives A high-level design that defines current security issues and how they will be addressed Detailed documents that describe how the program will be implemented, managed, and measured Details include defining key messages and determining who will actually create, review, and approve the content. In conjunction with the design, the task force should consider branding issues, to ensure that employees associate the program materials with the organization. Additionally, this group will need to determine the look and feel of all materials (for instance, online materials, printed copies, videos and presentation materials), and establish how the training will be deployed. Identify audiences and define objectives In a large organization, there are typically several categories of employees: executives, middle management, IT and information security staff, and other groups within the general workforce population. Given the unique responsibilities of these different types of employees, it is likely that they will require varying levels of security awareness. Identifying specific objectives for each category of employee is helpful. 6

9 To encourage a lasting and measurable change in behavior, both high-level and specific objectives for the awareness program should be easily understood and meaningful. The task force should identify specific measurable benefits that are realistic and attainable, as well as timely. For example, rather than simply striving to reduce the number of weak passwords, organizations can set an objective to reduce the number of weak user passwords by 75 percent within three months. The objectives must be measurable so that management can ascertain whether or not an adequate return has been realized for the time and resources invested in the program, as well as to help determine how successful the program is in helping the organization achieve the stated goals. Create meaningful content Perhaps the most significant aspect of a security awareness program is the content itself. It not only needs to explain the organization s security policies and the procedures that are in place, but also why it is important for employees to comply with those policies, procedures, and guidelines. By basing the core content for the program on security industry best practices and international security standards (such as those embodied in ISO ), organizations can ensure they are addressing current security concerns via proven methods. Once the organization s security policies are outlined, employees will need to be educated about simple steps they can take to protect the organization s data, such as how to handle attachments and safely create and store passwords. Workers who telecommute or travel frequently should understand how to secure their laptop, mobile phone, or PDA. Issues such as social engineering, mobile or remote workers, and regional or language issues for enterprises with multiple offices may require special consideration. Recommended content of a security awareness program Communicate your security policies and procedures Establish core content based on security best practices: Protecting critical information Social engineering Mobile/remote worker Virus protection Password protection Web browser security Stress the importance of each awareness topic Highlight areas of specific concern Spell out consequences and penalties for noncompliance Ensure ongoing maintenance and content refreshment 2 International Organization for Standardization, 7

10 The content of an awareness program will likely need to address the unique requirements of the various categories of employees. To ensure that employees change behavior and actions that negatively impact security, organizations need to make sure that each person fully understands his or her role as it relates to each security policy and their need to comply with it. Once employees understand that security risks can be reduced or eliminated if they modify their behavior, they are often more open to change. For example, many employees may not see the harm in opening unsolicited attachments. Examples of possible worst-case scenarios can prove more effective than a simple explanation. If possible, companies should illustrate what happens if one employee opens an attachment, activates a virus, and forwards it to the entire workforce. Implementing the program In addition to relevant content, the success of any security awareness program will rely heavily on how the information is delivered. Depending on the organization s culture, employee security awareness training can be incorporated into new-hire orientations, lunch n learn seminars, and special training sessions by department, while executives and mid-level managers are likely to be receptive to training that is incorporated into regular management meetings. While management personnel with security responsibilities may require additional training, they can also prove to be the strongest advocates of the awareness program. To ensure the success of such training, everyone in the organization should participate, not just new employees or other select groups. Meaningful rewards and positive reinforcement can be important and effective means to encouraging positive security behavior and acknowledging proactive participation. The type of rewards will largely depend on the organizational culture. In addition to rewards, companies can show employees how their behavior has improved the organization s security stance, perhaps by providing a comparison of statistics before the program was implemented, after the initial training, and six months after the training. Because people like to see how they have improved, providing them tangible results can further encourage them to improve their behavior to protect critical assets. Vehicles for communicating the security awareness program: New-hire orientation Lectures/seminars Lunch n Learn sessions Web-based training Videos, DVDs, CDs Corporate outings/events Management meetings Board of Directors meetings Add-on to other training events Guest speakers Informal leaders, influencers Corporate newsletters Posters, marquees Pamphlets, reminder cards blasts, Web reminders Screen savers Web banners Job aids Quizzes Contests 8

11 Measuring program effectiveness To ensure long-lasting results, the most effective security awareness programs are ongoing, and incorporate content that is regularly updated to meet changing security needs. Those organizations with a learning management system (LMS) in place can use it to support program training scheduling, registration, content, and tracking. As part of establishing a continuous learning cycle, organizations need to run multiple security awareness campaigns, and communicate with employees on a regular basis. Similarly, the effectiveness of the program will also hinge on periodic evaluation, review, and revision of training topics and security awareness campaigns. Online security awareness programs often include their own tracking system that enables organizations to identify who is participating in the training, how much time they spend on the program, and whether they actually complete the training. Many of these solutions also include evaluations, such as quizzes, as well as a means to track test results via management reports, and metrics against which organizations can evaluate results. Should an organization opt to use an off-the-shelf solution or work with a security provider, they should ensure the training content provided meets Sharable Content Object Reference Model (SCORM) standards 3. Based upon the work of leading industry organizations, SCORM standards have been developed to address the integration of training content into LMS applications, and define standards for content development and delivery for Web-based training. Key indicators of changes in behavior In addition to measurable results, changes in employee behavior also provide evidence of the effectiveness of the security awareness program. Key indicators of positive changes include a drop in virus infection (and re-infection) and a reduction in the types and number of calls to the help desk. Informal walk-around audits can provide additional indications by helping to evaluate whether or not passwords are openly displayed on desktops, if systems are left logged on and unattended, or if sensitive paperwork is left on desks overnight. From a network perspective, a successful security awareness program should result in better system performance and Web use. Password-checking programs also can help to measure the program s effectiveness. 3 For more information about SCORM: 9

12 Communicating quantifiable results to the management team is critical to demonstrating that the program is successfully creating an informed organizational culture and is delivering measurable results. Such communications will remind management that the security awareness program was the right decision and positions the program leader as the go-to person for subsequent security projects. Symantec Security Awareness Solutions Designing and implementing a security awareness program can be a formidable task even if the organization has the expertise and internal resources. Fortunately, organizations can leverage the expert assistance of security professionals and numerous off-the-shelf security awareness solutions. Symantec Professional Services provide assessment, planning, and design services that help companies build effective security awareness programs. Since they are knowledgeable in all aspects of security awareness, Symantec security experts can help organizations develop a program, train employees to protect information, measure results, report progress to upper management, and prepare for regulatory audits. To round out an awareness program, organizations can use solutions such as the Symantec Security Awareness Program, offered by Symantec Education Services. This program provides a comprehensive set of training and communications tools to help companies meet regulatory requirements for employee security awareness training, while encouraging appropriate behavior and reducing security vulnerabilities. Based on security industry best practices and international security standards embodied in ISO17799, the program addresses a full range of today s key security issues via a series of ten technology-based training modules. Along with computer-based tutorials, the program provides supporting material, including screen savers, ready-to-print pamphlets, reference cards, and posters for effective communications to all employees. Organizations can insert additional content into the Web-based training tool such as explanations of organizational policies and links to other documents or Web pages and can also co-brand all of the training materials to reinforce organizational identity with the content. 10

13 Table 2: Security topics covered in Symantec Security Awareness Program Security Topics Information Protection Social Engineering Remote Worker Security Virus Protection Password Security Web Browser Security Security Instant Messaging Security Telephone Security Mobile Security Benefit Communicates the need to protect business information and suggests measures that employees should take to reduce risks and properly protect vital organizational information. Makes the workforce aware of various social engineering ploys how they are implemented, why they are implemented, and ways to avoid them. Discusses the risks associated with working remotely and ways to protect the organization s information while working remotely. Educates the workforce on computer viruses, Trojan horses and worms, and recommended practices to reduce the risk of infection. Tells employees why passwords are so important, how to create strong passwords, and best practices for password use. Informs of the risks associated with using a Web browser to surf the Internet, and provides measures to be taken to reduce the risks. Reminds employees of proper etiquette and reminds them of the risks of virus infection from attachments. Explains some of the risks associated with instant messaging communications tools and provides precautions that should be applied to ensure instant messaging practices do not jeopardize confidential information. Communicates the importance of telephone security, the severity of telephone fraud, and security best practices to reduce the risks associated with telephone fraud. Makes employees aware of the risks associated with the use of laptops and Personal Digital Assistants (PDAs), and provides ways to reduce those risks. 11

14 Conclusion Sophisticated security technologies alone cannot secure the enterprise. The most successful information security combines state-of-the-art technology, comprehensive procedures and policies, and a highly trained and motivated workforce that understands its roles and responsibilities in protecting the organization s valuable information assets. While many organizations have robust employee communications programs in place, they cannot always dedicate the time and resources needed to develop and implement an effective, long-term employee security awareness program. Before making the decision to implement an awareness program, organizations should consider leveraging the security expertise of leading security solution providers such as Symantec to help develop a program, train employees to proactively protect information, and measure the results of the organization s security awareness program efforts. By engaging experts to assist in improving the organization s security posture, employees can focus on improving their business and bottom line. 12

15

16 About Symantec Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec s Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, California, Symantec has operations in 35 countries. More information is available at Symantec has worldwide operations in 35 countries. For specific country offices and contact numbers please visit our Web site. For product information in the U.S., call toll-free Symantec Corporation World Headquarters Stevens Creek Boulevard Cupertino, CA USA Symantec and the Symantec logo are U.S. registered trademarks of Symantec Corporation. Symantec Security Awareness Program is a trademark of Symantec Corporation. Other brands and products are trademarks of their respective holder/s. Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation. NO WARRANTY. The technical information is being delivered to you as-is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Copyright 2004 Symantec Corporation. All rights reserved. 12/