One of the most difficult jobs in information technology is that of network security engineers. The demands of the work are incredible.  Network security engineers need to be technically gifted to keep up with the breakneck pace of new technologies and vulnerabilities.  They must be ready to put their life on hold to go into work at all hours of the night to remediate security incidents.  Those incidents could range from code upgrades all the way to security breaches of the network. The most challenging part of their job is protecting the identity and information from security breaches. Effective network security engineers take personal value in ensuring that all users are educated about security risks through suitable network practices and training seminars.

The security-conscious employee is always asking, “How could someone take advantage of this situation?” #securityawareness
— Joe Baker | Sr. Network Engineer at AfidenceIT

Users are the biggest security threat to any organization. They don’t mean to be so dangerous, but users are the only component of an organization that we cannot secure and configure ourselves. Network engineers conceptualize user behavior to deliver security standards centered on protecting valuable user information. On top of their technical duties, security experts are also tasked with formulating a plan on how to secure the impossible. Many organizations utilize required security training during orientation and sometimes on an annual or bi-annual basis.  I have been on the receiving end of these training programs, and the content has varied from network and email security procedures to physical security and building access. These are valuable subjects for all people to know—not just employees. But how do we make sure that employees can make thinking about security a custom practice?

A fine line exists between being security focused and being a conspiracy theorist.  Although, I’ll bet that the conspiracy theorist has a better handle on his Facebook privacy settings than the average user. The security-conscious employee is always asking, “How could someone take advantage of this situation?” The primary objective of security training is to instill security awareness.

BEST INTENTIONS GONE WRONG

Let’s say a group of employees receives a spam email asking them to download a particular file or click on a link. Often, employee’s first response is to use the “reply all” feature to notify others that the file is spam. This behavior leads to multiple “reply all” responses including “stop responding” emails. Quickly, an inbox multiplies from containing one copy of a potential virus to fifty copies. The recommended response is to forward the email as an attachment to the security expert so that the security expert can notify the rest of the company that the spam email had gotten through the filters.

HOW DO WE GET THE SECURITY-THOUGHT PROCESS IN THE HEADS OF OUR EMPLOYEES?

So how do we do it?  How do we get this security-thought process in the heads of our employees?  I’ve mentioned required training, but that will only work on the willing.  I have found that the most efficient form of learning is through experience.  There are companies that specialize in security audits that evaluate which employees give up information or run a virus on their computer unknowingly.  This kind of service can be costly, so it isn’t feasible for every company.

Some companies practice office hijinks to teach security lessons. For example, when employees walk away from their computer without securing it, the employees often discover that their background picture has been changed, or their icons moved. This type of inconvenience is mostly harmless, but security awareness should be a comprehensive, user-centric process that starts with employee onboarding and continues throughout employment.

The most feasible and cost-effective measure is somewhere in the middle, and it includes layering the following methods:

1. Interactive online security training programs:

Conduct interactive security training during employee onboarding. Quarterly training programs could be used as knowledge generators and security knowledge assessment tools. The areas that indicate low user scores can be further evaluated during real world exposure audits and newsletters to reaffirm the security guidelines.

2. Exposure to real world experience of security threats:

Perform a yearly security assessment audit to identify security risks and provide recommendations.

3. Periodic newsletter highlighting security breaches:

Use newsletters as educational reminders to highlight key security vulnerabilities. The newsletter content should be light and interesting enough for someone to take a few minutes to read.

One more thing before I go: Do you remember that Nigerian prince who wants to make you a millionaire if you help him open a bank account with a couple thousand dollars?  There is a possibility that he isn’t 100% legit…just sayin’.

JOE BAKER

Sr. Network Engineer at AfidenceIT