Mark Borinsky, a fellow member The Ethical Hackers Club (TEHC), a local Maryland Meetup group, wrote the following article that I wanted to share. Please see the news section for more information on Mark.
Computer Security: Importance of Training
Employees need to be educated and to be aware of their specific cybersecurity
responsibilities. They should be held accountable for their cybersecurity practices and know that their security practices will be monitored.
Computer security is a broad subject, so that even employees not directly involved with computers need to be trained; for example, all employess need to know that keeping intruders outside of a building is important.
Continuing education is crucial. Millennium Challenge Corporation (MCC) has a notable employee training program. 1 Beyond the usual training, MCC has a “Tip of the Day” program that includes a question about computer security. Each month, employees are graded on their responses. Those who fail are warned. If someone fails two consecutive months, their supervisor is notified. Then, if they fail a third consecutive month, network access is denied until remedial training is successfully carried out.
“We’ve had a tremendous reduction in viruses,” reports MCC Chief Information Officer Dennis Lauer reported.
The State of Colorado has a plan to educate employees about home computer security, with the idea that security awareness will become a habit. 1 “If (employees) pay attention (at) home, that will naturally translate to work life,” states Carolyn Schmidt, program manager for computer security at the National Institute of Standards and Technology.
Limitations of education As important as education is, and it is quite important, even the “best and the brightest” and the most well disciplined people are vulnerable to cybercrime. In 2004, West Point cadets, as the unknowing victims of a cybersecurity study 2, ignored the principles they had been taught in a computer security training program, and responded to an email from a fictitious officer asking them to click on an embedded link that supposedly would show them their grades. A year later, in another round of the study, a lower but still significant number of the students were fooled by a phishing expedition. Worse still, in the second round, some of the students provided their Social Security number.
Add to the gullibility of these West Point cadets, and their sometimes misplaced trust in authority is the fact that they, like many people, are under time pressure, and are sometimes tired and confused.
1 “5 Tips for Cybersecurity-training Your Employees — Federal Computer Week.” Object Moved. Web. Retrieved 16 Apr. 2012. <http://fcw.com/articles/2010/01/25/feat-cybersecurity-training-a-must.aspx>.
2 “Fostering E-Mail Security Awareness: The West Point Carronade.” (EDUCAUSE Quarterly). Web. 03 May 2012. <http://www.educause.edu/EDUCAUSE Quarterly/EDUCAUSEQuarterlyMagazineVolum/FosteringEMailSecurityAwarenes/15733