Title: Raising Security Awareness. in Employees. I N F O T E C H
1Raising Security Awareness in Employees
I N F O - T E C H D I G I T A L
P R E S E N T A T I O N
insert date
2Raising Security Awareness in Employees
- Summary
- While perimeter defenses are critical to
protecting our systems from outside attack,
attention must be placed on security threats that
come from within. - Its important to raise security awareness in all
employees because most security breaches are
caused inadvertently by staff.
3Raising Security Awareness in Employees
- Did your organization experience an unauthorized
use of its computer systems in the last 12
months?
Source Computer Security Institute, June
2004n481 computer security practitioners in the
U.S.
4Raising Security Awareness in Employees
- Types of attacks or misuse detected in the last
12 months
Source Computer Security Institute, June
2004n481 computer security practitioners in the
U.S.
5Raising Security Awareness in Employees
- According to META Group, the cost of damages from
a security breach is 290,000 per company in
2004.
- In May 2004 alone, the damage due to the
proliferation of malicious software is estimated
at between 16.2 billion and 19.8 billion
worldwide. - Survey respondents estimates show that
denial-of-service attacks surpassed intellectual
property theft as the most costly attack type.
- The third most costly type of attack was insider
Web abuse, followed by abuse of wireless
networks, financial fraud, and laptop theft.
6Raising Security Awareness in Employees
- Number of security incidents reported, 1993 to
2003
Source CERT, 2003
7Raising Security Awareness in Employees
- Social Engineering What Is It?
- Social Engineering is a method that hackers use
to manipulate and deceive employees in order to
gain sensitive or confidential information such
as - Personal employee fact or passwords.
- Names of important servers.
- Other key data (e.g. IP addresses).
8Raising Security Awareness in Employees
- Social Engineering How Is It Done?
- Impersonating an employee and pretending to have
forgotten a password.
- Posing as an authority figure to extract valuable
information from company employees that are
afraid or unable to confirm the legitimacy of the
authority. - Posing as a repairman or contractor to gain
physical access to an organization and steal
information or access the network through an
available workstation.
9Raising Security Awareness in Employees
- Building a fake Web site that requires users to
register with their user name and password to
access information.
- "War mumbling," which involves calling employees
and mumbling or speaking in a thick accent when
asked for ID authentication until the user
finally gives up the password information out of
sheer frustration. - Gaining trust through seemingly innocent
conversations, then sending an e-mail attachment
with a backdoor exploit.
10Raising Security Awareness in Employees
- We Dont Want to Play Big Brother
- No one wants to monitor every action of a user,
but many security breaches are created
internally. Incidents of this kind come in a
variety of forms - Opening infected e-mail attachments.
- Forgetting to log off or lock workstations.
- Disclosing passwords.
- Installing unauthorized software.
11Raising Security Awareness in Employees
- Disclosing private customer data.
- Leaving a public-facing door unlocked.
- Forgetting to set the alarm at night.
- Loaning your laptop to someone else.
- Surfing questionable Web sites.
- Losing your key card and not reporting it
missing.
- Any other failure to comply with company security
policies.
12Raising Security Awareness in Employees
- Well Do Our Part
- In addition to fostering a corporate culture that
embraces security, company name intends to do
the following
- Solidify and strengthen all enterprise security
systems and technologies.
- Establish formal practices and support.
- Invest in security training programs.
13Action Plan
14Raising Security Awareness in Employees
- How You Can Help! At the end of the day, its you
who can make a real difference in security.
- Keep confidential documents locked up.
- Dont leave private information in the
photocopier, fax machine, etc.
- Change your password frequently use a
combination of letters and numbers.
- Never let ANYONE know your password.
- Store all files on the network, not your PCs
hard drive.
- Encrypt or password-protect sensitive e-mails.
15Raising Security Awareness in Employees
- Always lock your PC when you are not at your desk
(Ctrl Alt Delete).
- Always log off and shut down your PC when you
leave for the night.
- Always ask IT for permission before downloading
software.
- Never post sensitive company information or
client information to blogs, Web bulletin
boards, etc.
16Raising Security Awareness in Employees
- How We Plan to Measure Effectiveness.
- Conduct periodic security tests to promote and
measure the program's success.
- Create a security documents section in the
intranet that will include policies, procedures,
and FAQs on security.
- Employ power users to help you out and foster
security awareness.
17Raising Security Awareness in Employees
- How We Plan to Communicate.
- We will keep the lines of communication open so
that you can ask IT about security when youre
unsure.
- We will provide updates on existing and future
security initiatives.
- We will set up a graphic security "barometer" to
display the organization's current security
status.
18Raising Security Awareness in Employees
- How We Plan to Stay Flexible. What is considered
a security best practice today might be obsolete
tomorrow. The security awareness program takes
into account such factors as - Changing business models and/or objectives.
- The introduction of new technologies.
- Emerging security threats and/or new viruses.
- The growth of the network and the user base.
19Raising Security Awareness in Employees
- How We Plan to Enforce Security. Because security
is so critical to our business operations,
enforcement may be necessary.
- Consistently failing security tests may result in
disciplinary action.
- Policies will contain stiffer penalties for
infractions.
- Deliberate security violations will be dealt with
to the fullest extent of the law.
20Raising Security Awareness in Employees
- Bottom Line
- Security is a challenge, made more difficult by
human fallibilities.
- An awareness program will strengthen the security
chain and empower you to make a real difference.
21Questions?