[BreachExchange] Security Awareness For IT Employees

[Audrey McNeil]

http://resources.infosecinstitute.com/category/enterprise/securityawareness/
security-awareness-roles/security-awareness-for-it-employees/

Stating that information security is everyone’s job is not something new;
just try asking any person in charge of awareness efforts how many times
they have done so. Even if your company has a dedicated security team, it
is very important to let every employee know that they have a shared
responsibility for the company’s data protection.

Since information security is so closely linked to IT protection, most
would assume that IT workers would be way ahead of the game, quite aware
that they play a major role in data protection and would not stray from
secure behavior, following security rules without questioning and helping
in the early detection of security related incidents. The simple truth is
that most of the time IT employees are among the biggest insider threats to
security[1].

The Importance of Security Awareness for IT Employees

 Let’s list a few good reasons why security awareness for IT employees
should be a major concern for all organizations:

- An employee just like any other: For starters, IT team members are
employees and, just like any other person who works at your company, they
are bound to follow corporate guidelines for IT security. Having them
participating in security education/awareness efforts may be mandatory for
some organizations but, even if that is not the case, it is important to
understand that security requirements, policies, guidelines, standards, and
procedures will vary a great deal from business to business. If a company
assumes a person will promptly understand/accept/follow the corporate
security rules and be conscious of the specific threats to the business
without having any prior training and awareness, that is a really poor
managerial decision.
- Resistance to rules: Having just stated that IT employees are workers
just like any other, it may sound contradictory that now I point out a
major difference in behavior. The truth is that IT people, the same ones
who most of the time are required to enforce security, are not very fond of
following rules. For instance, if there is a problem with whatever
spreadsheet software they are using, an IT worker may reinstall the
software by himself to solve the problem instead of contacting the service
desk.

Not only that, but in some cases IT employees may know how to easily
circumvent rules: If the USB devices are blocked, if a website is not
allowed, if a specific application is not installed, for a typical user
that would be it. For an IT user, it may be a simple question of messing
around with system settings, changing a registry entry, or using a portable
proxy avoidance tool.

So, since standard security controls may not be that effective with IT
employees, the only option is making them aware of the risks of not
following rules; this should not only cover the threats to the company, but
should also make clear the consequences violators will face.

- IT workers make the same mistakes: Putting aside intentional bad
behaviors, most security incidents related to IT employees will be caused
by simple mistakes. For instance, if a company does not enforce complex
passwords or does not have password management software, it is almost
certain to find people within IT using the simplest passwords and even
writing them down in easily found places.

Developers are another group that can inadvertly create security flaws: it
is not at all uncommon for someone having trouble with a syntax error to
download sample source code and use it without any concerns for security;
but it gets even worse, because misguided developers may simply share a
piece of sensitive code on a public online forum in search for help.

 The fact is, while IT employees may be more comfortable with technology,
they are not invulnerable to simple mistakes, and that includes falling
victim to in-person social engineering, opening attachments from unknown
sources, downloading software from outside the official stores, clicking on
links in social media sites, etc. Again, even though IT employees are
expected to know that this is a risky behavior, incidents are bound to
happen without proper security awareness training.

- A prime target for cybercriminals: Since we already established that IT
employees can make the same mistakes as normal users, it is not at all
difficult to understand why they are a prime target for attackers or
cybercriminals. Most of the time, IT personal have access to sensitive
information. This may come in the form of administrative rights, source
code access, documentation, physical access to restricted areas such as a
datacenter, advanced operational system features, and almost unrestricted
network/internet access, to name only a few examples.

Now, if a regular user falls victim to a phishing scam and inadvertly
shares his password, it can either be a minor or major issue for the
company, depending on what the user does and his level of access. If an IT
user falls for the same scheme, it is much more likely to cause a high
level of harm to the business. Even the most basic IT functions are a
common place for sensitive access. Many entry positions such as IT
technicians may have administrative rights on user computers or file
shares; a DBA or developer with access to the production environment (not
recommended by the way) may expose sensitive files, documentation or even
access to critical system.

Security Awareness: How to Educate IT Employees

What is the best approach to “inoculate” employees and prevent both
deliberate and unintentional security incidents from IT personnel? The
answer is creating an awareness program that reflects the level of harm an
employee may cause to business.

This will require a proper understanding of the audience and developing
awareness pieces accordingly, while a part of the awareness material will
be designed for the employees as a whole, some of it must be created
specifically for key areas such as IT or even an IT-subset (i.e. coders,
DBAs, network administrators).

Here are some tips that can be quite useful in bringing your awareness
program up to speed:

- Your audience already knows the basics of technology: Simple as that,
since we are talking about IT employees, it is reasonable to assume that
they already have a good understanding of tech, otherwise you would not
have hired them. As with any audience, speaking in a language they fell
comfortable is of key importance if you wish to get your message through.
With a general employee group, using technobabble may not be the best idea,
but since we are talking about IT geeks, this approach can be of great
value to get their attention going.
- The basics of information security: Now, understanding technology and
even being an expert in some related areas may not require a profound
knowledge of information security, so it is always best to not assume IT
employees are already proficient with information security. There is no
harm in starting from the basis, so some effort should be made to ensure
that things like basic concepts, terminology, procedures, guidelines, and
policies are well understood. This can be accomplished real easily by
creating a security handbook (that can also be used with non-IT employees)
and having quick presentation sessions.
- Be specific: IT employees can work in several different areas that are
subject to specific risks. While it is important to have your entire team
aligned on the general terms, there is little to be gained from spending
resources and time educating an employee about a subject that does not
involve his line of work. For instance, server admins may not be required
to know more than the basic concerns of coding vulnerabilities and your
development team does not need to be concerned with the operational
system’s security settings. Again, it is all dependent on knowing and
understanding your audience.
- Whenever possible, use real examples: More often than not, IT personnel
will be directly involved in dealing with security incidents. While it is
important to avoid over-exposition of past issues, having practical
examples pertinent to the company’s risk scenario is one of the best
approaches to accomplish awareness. For example, if a company has a history
of malware infection or, even worse, suffered a ransomware attack, it is
always good to discuss it with the tech team and point out whatever
security controls were missing and, if there was malicious intent, what the
consequences were and what has improved to help avoid further occurrences.

Concluding Thoughts

The human factor has been and will remain a major part of most data
breaches or any other type of security incident. IT employees can either be
a source of vulnerability or one of the most resilient combatants in a
company’s information security efforts; it is all a matter of being aware
and adequately trained.

While IT people in general have more experience and are even easier to
educate on security matters, it is important not to underestimate the level
of exposition that may arise if IT employees are not part of security aware
efforts. Simple unintentional mistakes can become major incidents that may
impact operations, financial results, and even the image/reputation of any
business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170807/4681dd91/attachment.html>