To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.
Watch this Blog
Notify me by e-mail any time a new post is made to this blog.
Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.
June 2009 Posts
It's a common problem in Small and Medium-sized businesses. The word POLICY sets you back and you lose credibility - whether you're talking about "security policy" or a "product return" policy. It can certainly turn off workers in the blink of an eye. (In fact, I've probably lost you already... ) So, what can you do if you feel that there are no consistent rules around security in your organization?
Security Policy is one of the major pillars of any security program. But if SMBs ignore this pillar, or fail to make progress in defining some consistently applied rules, it's really a demolition derby of rogue employees doing whatever they want, in the name of "innovation, agility, responsiveness" or any other advantage a small business has over its larger industry peers.Policies seem to be more acceptable in larger organizations, where you need it to avoid complete anarchy. But where security is concerned, policies - or something resembling them - are critical, for even the smallest of companies. A one-man shop or a family computer in the kitchen needs a set of guidelines or conventions for working safely.I've worked with companies where I knew as soon as the word slipped out of my mouth that they thought I was trying to drive a nail with a sledgehammer, with respect to securing their operations - way overkill in their minds.But if you can find out what the organization's culture "cares about", you can start to identify the consequences of failing to have something equivalent to good security policies. What would be the consequences if some information was disclosed or modified without authorization? Or what would be the impact on revenues or costs if information your business relies on was unavailable to you when you needed it?
Once you've identified those impacts, you need to choose a less inflammatory word that you can use to represent the concept of policies that provide consistent rules for protecting against the consequences.
Here are some suggestions or euphamisms: * Rules * Guidance * Guidelines * Helpful Hints * Tips * ConventionsUsing whatever term you choose consistently as a way to frame what we would otherwise call policies will start to engrain the need for some acceptable governance you can point to when talking to anyone outside who refers to policies.
Perhaps you already have this kind of environment in place, and never realized it. Just because you don't call them policies, doesn't mean you can't use what you have as a basis for your security program. Once your organization grows, you may find that, through some other miracle - perhaps a change in senior management - the word Policy becomes acceptable, you can simply propose to "transform" your "guidelines" into policies.
What does your organization call these kinds of rules, or what would you suggest as an effective euphamism? We'd like to know.
The Streetwise Security Coach
Phone: 1-613-693-0997Email: firstname.lastname@example.org
To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.
This article has a good summary of the motivations and mechanisms that are causing social networking sites to be a threat to enterprises.
It does cover some fundamental problems that IT security managers need to be concerned with. However, one mechanism they don't discuss is weak passwods on multiple accounts at work and at home.
Either way, the article uncovers the most likely ultimate target in your enterprise - your databases.
Most organizations have at least one database, whether it's for client lists, orders, inventory, financial accounts... anything hackers can use to make money. The database is where most of the valuable information is, and it's pretty easy to find if there are insufficient safeguards in place.
The article also points out the need for security fundamentals within the enterprise, including layered security policies and proper access controls. Security awareness is essential, especially if social networks or any outsourced Web 2.0 enterprise services on are accessible.
But, even personal Facebook pages that are only accessed from home can contain clues that allow attackers to piece together enough information to gain a foothold in an enterprise network, all in the name of getting access to your data, conveniently stashed in giant heaps within your databases.
According to the notice I see on Facebook today, you might want to stay up until midnight to register your custom Facebook username...Starting on Saturday, June 13th, at 12:01am in your time zone, you'll be able to choose a username for your Facebook account to easily direct friends, family, and coworkers to your profile. Check out the Facebook Blog for more information or send yourself an email with the details.
If you don't register your preferred username, somebody else might, which could result in scammers registering in your name and trying to phish your friends. The instructions are a bit complicated at the link above, but might be worth muddling through for the sake of your personal or business brand.Business owners take note!If you want your registered trademarks to be usable as usernames in Facebook, here is the guidance I have seen on the subject, which an associate of mine received from their head office...Facebook has just advised that there is a very limited window open to ownersof federally-registered trademarks to prevent such marks from being adoptedby others as Facebook usernames URLs (ie.www.facebook.com/[your trademark])effective June 13th. In order to take advantage of this protection, you mustnotify Facebook of your registered trademark rights before the usernameregistration process begins (namely 12.01 EST Saturday June 13th). Once younotify Facebook of your company's trademark rights,your trademarks will beblocked from adoption as usernames. You can do this by entering therelevant registration information at:http://www.facebook.com/help/contact.php?show_form=username_rights
Note: If you are in Ottawa, you will learn some great security tips and strategies at my OCRI keynote on Social Networking Security: Managing the Information Security Risks of Facebook, Linked In and Other Web Marketing Tools - June 19th. See the linke below:http://www.ocri.ca/events/ocripartnered3.asp
One of the biggest barriers to achieving an effective culture of security in an organization - even those with only a few employees - has to do with communication issues, not just the slide deck content. I'm talking about "learning styles", and what Seth Godin calls "world views". Too many security awareness initiatives seem to treat everyone as having the same capacity to absorb the content from a single slide deck.
Communication styles, in a nutshell, are known by psychologists to make a huge difference in how people absorb information. Some people are auditory communicators, meaning that they listen and speak in terms of the linear flow of information, as in "It sounds like you need to focus on the insider attack problem." Others are visual learners, meaning they tend to tune in better to visual inputs or even visual terminology like "I can see where you might think the plan is unclear." Still others learn and speak with a "kinesthetic" orientation, which involves tangible attributes and feelings, such as "Once I can get a grasp of the situation, we can move forward."
Different people may tune in or tune out part way through a training session, due to insufficient stimulus in their native learning mode. Despite this incomplete connection, an amateur instructor may feel that the "security awareness briefing" check box in their to-do list is complete, satisfying their policy requirement for training and awareness. However, the chances of effecting a cultural change in this home-grown security training environment may be far lower than expected.
Another problem that even experienced educators face, when it comes to security awareness training, is the audience's "world view". This is the sum total of an individual's experiences and expectations. I see at least 3 separate world views in most organizations that tend to cause misunderstandings and ineffective knowledge transfers regarding security:
The three world views can be so disconnected, that any attempt to educate staff about securing the organization's information assets simply becomes a waste of time.
That's why I promote a methodology that focuses on engaging all staff in thinking about their job's workflows. They can work within their own world view and immediately recognize what makes sense in terms of security and productivity in this context. The key element in my approach is to use questions that focus on the student's primary job functions and the information they handle, which gets them to think about the priorities for the information flows they use to get their jobs done.
I must credit Rebecca Herold (@privacyprof) for helping me articulate the benefits of considering learning styles, and also Michael Santarcangelo (@catalyst) for his relentless advocacy of "engaging employees in discussions about consequences".
All this to say, if you're going to do a "home-grown" security awareness training program, don't do a "one-size-fits-all" slide deck and check off the compliance box. Spend some time to think about these issues and do it right, or please give me a call.