At any given moment, there are users on the network doing things they shouldn't be doing. Does your company have...
a solid security awareness program in place to make them aware of their behavior?
A recent Netwrix survey called Top 10 Things that SysAdmins Really Hate found "dumb users" were at the top of the list. Almost half of those surveyed found the very people they're there to support are getting under their skin. I agree that users are a large part of the challenges in IT, especially as it relates to security. But, whose fault is it when users don't know what to do or what's expected of them and "dumb" stuff happens? Is it on the them? After all they're grown-ups that should know, right? Is it management's fault for not supporting the proper training for employees? Or, perhaps it's on IT just a tad via the Nick Burns syndrome?
In the end, it doesn't matter who's at fault. It's up to IT and security professionals, along with strong support from management -- namely human resources -- to ensure everyone is set up for success. The following elements embody a solid security awareness program:
- It sets expectations.
- It's designed to keep security on the top of everyone's mind periodically and consistently over time.
- It makes security personal for each employee with incentives for good behavior.
Yet, these very things are often missing. If you're going to do a proper security awareness program, then make sure the program has clear priorities, has business reasons behind it and is kept afloat. Mere policies and proclamations do no good over the long haul. A security awareness program can be as simple as quarterly lunch-and-learns with periodic emails or videos mixed in. Or, it could be something as formal as an internal or cloud-based Web application that provides in-depth classroom-type training that also quizzes employees to ensure they understand the information. In the end, the security awareness program needs to be tailored to your specific business culture and needs. The end goal should be to keep people in the know and establish and build trust with the employees.
There are a ton of resources and tools available to develop an IT security policy. Some are free and some are for purchase. My favorites include:
- The Security Awareness Company
- Green Idea
- Wombat Security Technologies
- DoD phishing awareness training
- NIST special publication 800-50 Building an Information Technology Security Awareness and Training Program
Build it up and follow through
As you develop your security awareness program, keep in mind that awareness is not the ultimate security solution. Just like patch management and vulnerability testing, it's part of something much bigger. In a world where arguably the majority of breaches start at the user level, you've got to do something on the people side to keep the Windows environment under control.
It all starts with willingness. Stop checking the box on IT security awareness. Stop being a part of the crowd and squandering good money on security awareness that's just for show. Develop a program and run it like any other critical business function. That's going to require helping to get the program started and then getting out of the way and letting HR do its thing. Set goals for the program and hold yourself and others accountable to see it through.
If you put forth the proper effort, you can minimize user-based risks. Even when a network event or breach occurs, a strong information security awareness program will put you in a much better position to demonstrate -- and defend -- what you were doing and the choices made.
Recommended applications for analyzing Windows security logs
Windows security testing on the cheap
Test your knowledge in Windows security