Dealing With Careless Users as a CIO

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.smartdatacollective.com/xanderscho/382719/dealing-careless-users-cio

The majority of Chief Information Officers (CIOs) are generally very well
versed when it comes to the various facets of securing organization
networks, sensitive data encryption and on how to secure private customer
information. While as a CIO, you may be on top of your game, there is a
possibility of the existence of a glaring security flaws which you could
have overlooked or ignored: your organization’s end-users.

Helping Your End-Users to Think Securely

It is true that you have undertaken some heavy investments in the latest
cutting-edge security software and have also engaged the best trained IT
talent in your organization – but always keep in mind that you also have
end-users. Among your employees or end users are professionals involved in
sales, marketing, and administrative roles.

These are the people in your setup who are generally woefully unprepared
when it comes to dealing with social engineering schemes and phishing
scams, and this could cause lots of security breaches. Online security
professionals observe that this is a major component of company security
problems. Your end users must be involved in the whole process.

Dealing with Potential Risk Areas

It is a fact that your end users are your greatest company assets and in
terms of security can also be the weakest link. Users are typically in the
‘know’ regarding what is actually taking place in terms of organization
policies and processes that are actually followed and which get ignored.
For this reason, they make an excellent barometer that as a CIO you can
utilize in gauging how effective your security measures are.

For processes that are not very secure or not as secure as you would want
them to be, this is particularly true. However, your end users must be
educated. For instance, they will need to understand that with lots of
malware types, there is usually an installed application—and that for that
to take place there is likely to be a request for some additional
interaction.

An example would be when the user clicks on a link and they are asked by
the system to install some additional software. This could very much be
harmful malware, and when they encounter such, they should report the
incident to the IT department or alternatively follow the company’s a
well-defined process.

The Role of Education

Educating and empowering your end-users regarding their respective
responsibilities towards upholding best practices in terms of
organizational security is probably one of the best and effective
approaches in beefing up your overall security strategy.

Your focus should be teaching the end users about the ever present daily
threats they encounter and on ways of dealing with them. Your approach must
incorporate a hands-on learning methodology. The objective should be to let
the end-users master how phishing emails looks like. Educate them on ways
of verifying the legitimacy of the diverse social engineering tactics being
employed today.

As part of your strategy, make sure you actively involve your end-users in
the security strategy of the organization. They should not be following
commands and directives coming from the leadership without understanding
the rationale that lies behind some of those best practices.

Make Security Communication Two Way

Experts suggest that for security education to be effective, it has to be a
two-way street. Regular and clear communication is a must and information
needs to be shared—particularly around common targeted attacks. Such
security related communications need not be a big production issue. Making
the conversations a daily element of your business can be of great help
towards making the end-users appreciate that organizational security is
something which needs the concern and input of everyone.

Solid Strategy Must Back up Education

A solid strategy must be put into place to give backing to the training and
education. It must also have process of how to deal with threats as soon as
they get identified or attacks whenever they take place.

Possible approaches can be sending newsletters or regular email bulletins
plus offering more instructor-led training, education as well as formal
computer-based education. Security experts recommend making the advice
personal and extending the same so that it become applicable even at the
home level. This way, the security consciousness becomes part of daily life.

Examples can be offered from already published media reports that address
successful phishing attacks, showing examples of documents that are
infected. These will assist the end users to recognize and identify
potential attack areas.

Systems and Server Monitoring

All the education you impart to your end users isn't a totally foolproof
solution. Times will come when your employees will click on something they
shouldn’t have or even install malware or inadvertently activate a
dangerous virus. Some of those may go unreported, posing a continuous
threat to your security.

This is why it is important to constantly monitor your systems. Today there
are excellent applications that can be deployed for monitoring the
organization’s server. Such an application will raise the red flag any time
it identifies new installations coming from your end users. Alternatively,
some can be configured so that any app installations must first be given
the green light by the IT department.

Finally, as a CIO, always remember that even the best of processes and
education need the backing of sound technology. Yes, your end users may be
the first defense line, but when it comes to security, technology is the
last line of defense. Antispam, antivirus, and advanced adaptive solutions
for data loss prevention must be employed across all company communication
channels.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.