security policies, how to secure a small business, security guidelines, security rules, security conventions, euphamisms, convincing management
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


  Scott Wright's Security Views
Blog Entry

Communicating the need for "security policy" in SMBs and other organizations

Tuesday, June 30th 2009 @ 2:50 PM (not yet rated)    post viewed 7198 times

It's a common problem in Small and Medium-sized businesses. The word POLICY sets you back and you lose credibility - whether you're talking about "security policy" or a "product return" policy. It can certainly turn off workers in the blink of an eye. (In fact, I've probably lost you already... ) So, what can you do if you feel that there are no consistent rules around security in your organization?

Security Policy is one of the major pillars of any security program. But if SMBs ignore this pillar, or fail to make progress in defining some consistently applied rules, it's really a demolition derby of rogue employees doing whatever they want, in the name of "innovation, agility, responsiveness" or any other advantage a small business has over its larger industry peers.

Policies seem to be more acceptable in larger organizations, where you need it to avoid complete anarchy. But where security is concerned, policies - or something resembling them - are critical, for even the smallest of companies. A one-man shop or a family computer in the kitchen needs a set of guidelines or conventions for working safely.

I've worked with companies where I knew as soon as the word slipped out of my mouth that they thought I was trying to drive a nail with a sledgehammer, with respect to securing their operations - way overkill in their minds.

But if you can find out what the organization's culture "cares about", you can start to identify the consequences of failing to have something  equivalent to good security policies.  What would be the consequences if some information was disclosed or modified without authorization?  Or what would be the impact on revenues or costs if information your business relies on was unavailable to you when you needed it?

Once you've identified those impacts, you need to choose a less inflammatory word that you can use to represent the concept of policies that provide consistent rules for protecting against the consequences.

Here are some suggestions or euphamisms:

    * Rules
    * Guidance
    * Guidelines
    * Helpful Hints
    * Tips
    * Conventions

Using whatever term you choose consistently as a way to frame what we would otherwise call policies will start to engrain the need for some acceptable governance you can point to when talking to anyone outside who refers to policies.

Perhaps you already have this kind of environment in place, and never realized it. Just because you don't call them policies, doesn't mean you can't use what you have as a basis for your security program. Once your organization grows, you may find that, through some other miracle - perhaps a change in senior management - the word Policy becomes acceptable, you can simply propose to "transform" your "guidelines" into policies.

What does your organization call these kinds of rules, or what would you suggest as an effective euphamism? We'd like to know.

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

Its the Databases, Stupid! - You can't say you don't have one somewhere in your enterprise

Monday, June 15th 2009 @ 7:14 PM (not yet rated)    post viewed 2483 times

This article has a good summary of the motivations and mechanisms that are causing social networking sites to be a threat to enterprises.

http://www.threatpost.com/blogs/social-networking-attacks-target-enterprise-data

It does cover some fundamental problems that IT security managers need to be concerned with. However, one mechanism they don't discuss is weak passwods on multiple accounts at work and at home.

Either way, the article uncovers the most likely ultimate target in your enterprise - your databases.

Most organizations have at least one database, whether it's for client lists, orders, inventory, financial accounts... anything hackers can use to make money. The database is where most of the valuable information is, and it's pretty easy to find if there are insufficient safeguards in place.

The article also points out the need for security fundamentals within the enterprise, including layered security policies and proper access controls. Security awareness is essential, especially if social networks or any outsourced Web 2.0 enterprise services on are accessible.

But, even personal Facebook pages that are only accessed from home can contain clues that allow attackers to piece together enough information to gain a foothold in an enterprise network, all in the name of getting access to your data, conveniently stashed in giant heaps within your databases.

Site Meter

 

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

Avoid Being "Squatted On" In Facebook - Register Your Username ASAP

Friday, June 12th 2009 @ 11:05 AM (not yet rated)    post viewed 3443 times

According to the notice I see on Facebook today, you might want to stay up until midnight to register your custom Facebook username...

Starting on Saturday, June 13th, at 12:01am in your time zone, you'll be able to choose a username for your Facebook account to easily direct friends, family, and coworkers to your profile. Check out the Facebook Blog for more information or send yourself an email with the details.

If you don't register your preferred username, somebody else might, which could result in scammers registering in your name and trying to phish your friends. The instructions are a bit complicated at the link above, but might be worth muddling through for the sake of your personal or business brand.

Business owners take note!


If you want your registered trademarks to be usable as usernames in Facebook, here is the guidance I have seen on the subject, which an associate of mine received from their head office...

Facebook has just advised that there is a very limited window open to owners
of federally-registered trademarks to prevent such marks from being adopted
by others as Facebook usernames URLs (ie.www.facebook.com/[your trademark])
effective June 13th. In order to take advantage of this protection, you must
notify Facebook of your registered trademark rights before the username
registration process begins (namely 12.01 EST Saturday June 13th).  Once you
notify Facebook of your company's trademark rights,your trademarks will be
blocked from adoption as usernames.  You can do this by entering the
relevant registration information at:

http://www.facebook.com/help/contact.php?show_form=username_rights





Note: If you are in Ottawa, you will learn some great security tips and strategies at my OCRI keynote on Social Networking Security: Managing the Information Security Risks of Facebook, Linked In and Other Web Marketing Tools - June 19th. See the linke below:

http://www.ocri.ca/events/ocripartnered3.asp


Site Meter

 

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments
Blog Entry

Learning styles and world views - Why some training programs don't work as well as others

Wednesday, June 3rd 2009 @ 11:23 PM (not yet rated)    post viewed 2597 times

One of the biggest barriers to achieving an effective culture of security in an organization - even those with only a few employees - has to do with communication issues, not just the slide deck content. I'm talking about "learning styles", and what Seth Godin calls "world views". Too many security awareness initiatives seem to treat everyone as having the same capacity to absorb the content from a single slide deck.

Communication styles, in a nutshell, are known by psychologists to make a huge difference in how people absorb information. Some people are auditory communicators, meaning that they listen and speak in terms of the linear flow of information, as in "It sounds like you need to focus on the insider attack problem." Others are visual learners, meaning they tend to tune in better to visual inputs or even visual terminology like "I can see where you might think the plan is unclear." Still others learn and speak with a "kinesthetic" orientation, which involves tangible attributes and feelings, such as "Once I can get a grasp of the situation, we can move forward."

Different people may tune in or tune out part way through a training session, due to insufficient stimulus in their native learning mode. Despite this incomplete connection, an amateur instructor may feel that the "security awareness briefing" check box in their to-do list is complete, satisfying their policy requirement for training and awareness. However, the chances of effecting a cultural change in this home-grown security training environment may be far lower than expected.

Another problem that even experienced educators face, when it comes to security awareness training, is the audience's "world view". This is the sum total of an individual's experiences and expectations. I see at least 3 separate world views in most organizations that tend to cause misunderstandings and ineffective knowledge transfers regarding security:

  1. IT and R&D Staff - While they understand the limitations of technology, and often appreciate many of the security risks to the organization, they sometimes don't know which assets are critical to the organization's success. As a result, they may not know which risks are the highest priority to deal with, and get frustrated because they can never address all the risks with a limited budget, whether it's in Operations or R&D. At the same time, they do not always understand how to express risks and the effects of budget limitations in terms that the non-technical staff, including senior management and executives understand.
  2. Executives - Even though they see the big picture for the organization, and should know which business processes are the most critical, they tend to delegate too much responsibility for securing the business processes to the IT and Security staff without explaining the business priorities. They often don't recognize or appreciate the level of frustration experienced by those to whom responsibility is delegated. 
  3. Non-Technical Staff - With only a set of job objectives, a desk and a computer, the average employee is simply trying to get their job done. They may not fully appreciate the value their job brings to the organization's critical workflows. To them, policies usually seem irrelevant or out of date, and there is no big picture perspective. There is an old Eskimo saying, "The scenery only changes for the lead dog." So, they try to do their best, but if the messages they receive from management and the IT group are in stark contrast with reality, they can quickly come to the conclusion that they are on their own. This is when they start to make up their own rules for doing their jobs, and may even resort to looking out for number 1. At this point, they become a significant threat to the organization.

The three world views can be so disconnected, that any attempt to educate staff about securing the organization's information assets simply becomes a waste of time.

That's why I promote a methodology that focuses on engaging all staff in thinking about their job's workflows. They can work within their own world view and immediately recognize what makes sense in terms of security and productivity in this context. The key element in my approach is to use questions that focus on the student's primary job functions and the information they handle, which gets them to think about the priorities for the information flows they use to get their jobs done.

I must credit Rebecca Herold (@privacyprof) for helping me articulate the benefits of considering learning styles, and also Michael Santarcangelo (@catalyst) for his relentless advocacy of "engaging employees in discussions about consequences".

All this to say, if you're going to do a "home-grown" security awareness training program, don't do a "one-size-fits-all" slide deck and check off the compliance box. Spend some time to think about these issues and do it right, or please give me a call.


Site Meter

 

Share

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.