Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Mitigating IT Risks with Security Education and Training

Paul Hinkle

In today's interconnected marketplace and global economy, information assets are at greater risk than ever as incidents are becoming more devastating and expensive. With organizations growing more dependent on their information technology (IT) systems to conduct business, IT risk has become a primary concern.

IT risk management is a practice for balancing the costs of developing robust and secure IT infrastructure against the likelihood and potential damage to the organization should an incident occur. IT risk management is generally divided into four categories:

Corporate IT related incidents are attracting an ever increasing share of the public's attention. News headlines announcing the loss of unencrypted personal information on stolen laptops, credit card numbers stolen from corporate IT systems, business disruptions due to computer outages, and IT infrastructures failing corporate customers due to heavy load are all too frequent.

The 2007 Symantec IT Risk Management Report survey data indicate that a majority of respondents, which consisted of more than 500 IT executives and professionals from around the world, expect to be impacted by some type of security or compliance incident in the next one to five years. For example, 60 percent of respondents expect at least one major IT incident that could halt or disrupt a critical part of the business each year. Clearly, as an industry, we must do better.

Effective IT risk management must address people, process, and technology as the key components to controlling risk. The effectiveness of even the best technology and processes is frequently undermined if employees do not understand both the value of the organization's information assets and their role in securing these assets.

Putting People in the Process
Educating employees so they understand how IT risks can impact an organization is an indispensable step towards properly managing those risks. Organizations frequently focus on mitigating risk by investing in new technologies, while failing to leverage the most critical asset - people.

Today, human actions account for a far greater degree of computer-related loss than all other sources combined. An analysis of the Symantec's INFORM risk management database revealed that respondents most often identify drivers related to people and process as significant sources of IT failures. For example, 60 percent of respondents identified lack of proper architecture expertise as a significant source of IT failure, and 53 percent of respondents identified insufficient training in troubleshooting and resolution as a significant source of the same.

Common internal causes of corporate IT related incidents include poor password protection, failure to update protection software, failure to scan files, inappropriate on-the-job Web surfing and file downloading, and social engineering (techniques used to manipulate people into performing actions or divulging confidential information). The potential impact of these incidents leaves the infrastructure exposed and the organization vulnerable to exploitation, attack, and loss of proprietary information. These security gaps can also prompt a high rate of virus infection (and re-infection), along with a reduction in available network bandwidth. Ultimately, all of these translate into lost productivity due to downtime and increased costs to repair programs and replace lost or stolen equipment.

People are valuable resources and play a significant role in ensuring the security of an IT infrastructure. Through proper training and education employees can be key players in mitigating IT risks. According to a report issued by Gartner, implementing an effective security awareness program can eliminates time spent reacting to security incidents and lead to a 25 percent productivity savings. This means that employees can focus on what they do best - their jobs.

Mitigating Risk through Education
Contrary to popular belief, IT departments should not shoulder the responsibility of managing risk alone. Security is everyone's job, and when it comes to information security, people are as important as technology, policies, procedures, and guidelines. However, it is unrealistic to expect employees to handle the complexities and nuances of today's security environment without any preparation. With proper education and training, employees can become an organization's strongest line of defense and its most valuable security asset.

When designing a training program, IT organizations should keep in mind the four risk management categories: security, availability, performance, and compliance. They should also follow several best practices, which are outlined below.

Security risk

  • Improve incident reporting and handling
  • Properly classify and protect intellectual property
  • Reduce unsafe communication channels such as Instant Messaging
  • Design and implement more secure applications and infrastructures
  • Educate all employees on the importance of security awareness

Availability risk

  • Take a more proactive approach to IT availability issues
  • Demonstrate the importance of proper backup procedures
  • Increase awareness of common virus & trojan attack vectors, such as email attachments and file downloads
  • Educate application developers on the importance of building robust and stable applications

Performance risk

  • Demonstrate proper use of network assets (e.g., not watching online videos during office hours)
  • Increase attention to system performance in IT systems design
  • Educate application architects and developers on their ability to positively impact performance-related issues in IT systems

Compliance risk

  • Support and follow internal IT safeguards and business policy requirements in an effort to help meet compliance standards such as FISMA, Gramm-Leach-Bliley, HIPAA, Sarbanes-Oxley, COBIT, and ISO 17799:2000

Successfully protecting information assets requires employees at every level-from the top down-to obtain a basic understanding of the security risks and policies, as well as their respective responsibilities in protecting the company's assets. Without this understanding, organizations cannot hold employees accountable for protecting the organization's resources.

An effective training program enables organizations to improve their security posture by offering employees the knowledge they need to better protect the organization's information through proactive, security-conscious behavior. Management personnel with security responsibilities may even require additional training. The training must also be ongoing and include continuous training, communication, and reinforcement. A one-time presentation or a static set of activities is not sufficient to address the ever-evolving threats to the security landscape.

The more businesses view employees as an asset to its security posture-and the more training they receive on security initiatives-the more secure an organization's data and information will become.

The time has passed for the 'reactive' security model, where security incidents are always dealt with after the fact. Today's security environment has become so complex that the reactive companies will always be playing catch-up. Progressive companies must take a proactive approach that involves their people more in the company's IT risk management strategy. In the long-term, this is the only way to reduce the associated costs and maintain any level of security.

Additional Reading
Managing an Information Security and Privacy Awareness and Training Program

Implementing an Information Security Awareness Program by Thomas R. Peltier.

About the Author
Paul Hinkle is a Principal Security Instructor for Symantec Corp.

© Copyright 2007 Auerbach Publications.