Saturday, September 18, 2021

How Users Can Play an Active Role in Security

During World War II, the United States was worried about German spies

obtaining details about shipping routes and schedules to Europe. That’s

when they came up with the security awareness campaign — ”Loose Lips

May Sink Ship”.

It was both a dramatic illustration and held an obvious truth: If you

don’t watch what you say, unintended people may pick up on the discussion

and take advantage of it — maliciously.

I thought of the saying after listening to a very loud person — a senior

executive, I am pretty sure — discuss his business plans with an

associate. Given how he projected his voice when he talked, a person two

rooms down could have listened in, as well, while he discussed what firm

was failing, who they planned to acquire and so on.

In our rush to implement technical solutions for security, it’s

imperative not to forget the role of users and the responsibilities that

go along with it.

There are two parts to this. First, users need to understand their role

in security. Secondly, there must be an on-going awareness campaign.

Responsibility

Employees must understand that in order to have an effective internal

control environment and security, they must play an active role. The

formal responsibility and any specifics need to be outlined in each job

description. The phrase ”responsible for adhering to corporate policies

and procedures” is an important addition. This way the policy and

procedure documentation can be updated and the job descriptions left

alone. The employee should sign and date the form attesting to his/her

understanding of the position and compliance with the requirements.

The next step is to cover the policies and procedures during new hire

training.

Formal classes should cover what processes and controls are relevant and

then the employee should date and sign a statement noting that the

classes were conducted and that he/she attended the training and

understood the material presented. Management should consider the use of

professional trainers to ensure that the lesson plans are correctly

assembled and communicated to maximize efficacy.

Annually, refresher training should be given. This is an ideal time to

cover any new changes to job descriptions, policies and procedures, etc.

The intent is to again formally go over what is expected, hear any

concerns and obtain signed and dated review forms.

Be prepared for questions and objections.

Inevitably, issues arise during these reviews. There needs to be a

defined process to discuss and resolve, when possible, disputes. Note

that standards cannot be infinitely flexible. In some cases, tough

decisions will be made as to whether to support a standard or the person

in question. Trying to do both constantly, while giving concessions, will

make the standard collapse and send the wrong message.

Awareness

The intent of awareness programs is to keep responsibilities and issues

at the forefront of peoples’ minds. It is not a replacement for training

programs, but rather a supplement to training intended both to inform and

remind.

There are a great many ways to enhance awareness. The type of program

followed depends on company culture and resources — notably time and

money. In the same way defenses are layered, consider layering your

awareness programs to try and maximize their reach. Potential avenues

include:

  • Emails, Newsletters and Web Pages These can be used to send

    messages en masse. The challenge is just getting the users to bother

    reading the email or going to the web page. Consider adding a competitive

    element — find the answer to the question and win a prize;

  • Lunch Seminars – Offer to bring in lunch, have a potluck or

    have people bring their own lunches to hear topics that can affect their

    lives both in and out of work. For example, discuss anti-virus, privacy,

    firewalls, spyware, monitoring children’s Internet usage, etc. Company

    specific messages can be interwoven with the topics of personal interest

    to the employees;

  • Posters — Put them up in lunch rooms, by the water cooler,

    etc. Like emails and web pages, the challenge is to have employees

    actually read the poster and internalize the message;

  • Hold Periodic Meetings — Have brief meetings to communicate

    updates about internal controls and security. The challenge with these is

    to try and coordinate the meetings with departments that already have a

    full bevy of their own meetings and issues;

  • Attend Periodic Meetings — Rotate through the various

    departments and attend their meetings on a defined schedule to

    communicate updates. For example, perhaps you strive to hit each

    department once per quarter, and

  • Competitions — As previously mentioned, competitions are a

    good way to get some additional participation. Some groups will offer

    gift certificates, a token electronic gizmo, etc. As the challenge and

    payoff increases, typically so do the number of participants.

    Technology and processes alone are not enough. The user community must be

    actively engaged and own the responsibility for internal controls and

    security, as well. By working together, the organization can effectively

    and efficiently reduce risks. Without the recognized and accepted

    ownership by the users, the organization’s internal control environment

    and security posture will be compromised.

  • Similar articles

    Latest Articles