icetray - Fotolia

Get started Bring yourself up to speed with our introductory content.

Lock Windows systems down with a security awareness program

To produce a successful IT security policy, organizations need to invest the time and effort to include employees at all levels.

At any given moment, there are users on the network doing things they shouldn't be doing. Does your company have a solid security awareness program in place to make them aware of their behavior?

A recent Netwrix survey called Top 10 Things that SysAdmins Really Hate found "dumb users" were at the top of the list. Almost half of those surveyed found the very people they're there to support are getting under their skin. I agree that users are a large part of the challenges in IT, especially as it relates to security. But, whose fault is it when users don't know what to do or what's expected of them and "dumb" stuff happens? Is it on the them? After all they're grown-ups that should know, right? Is it management's fault for not supporting the proper training for employees? Or, perhaps it's on IT just a tad via the Nick Burns syndrome?

In the end, it doesn't matter who's at fault. It's up to IT and security professionals, along with strong support from management -- namely human resources -- to ensure everyone is set up for success. The following elements embody a solid security awareness program:

  • It sets expectations.
  • It's designed to keep security on the top of everyone's mind periodically and consistently over time.
  • It makes security personal for each employee with incentives for good behavior.
As you develop your security awareness program, keep in mind that awareness is not the ultimate security solution. Just like patch management and vulnerability testing, it's part of something much bigger.

Yet, these very things are often missing. If you're going to do a proper security awareness program, then make sure the program has clear priorities, has business reasons behind it and is kept afloat. Mere policies and proclamations do no good over the long haul. A security awareness program can be as simple as quarterly lunch-and-learns with periodic emails or videos mixed in. Or, it could be something as formal as an internal or cloud-based Web application that provides in-depth classroom-type training that also quizzes employees to ensure they understand the information. In the end, the security awareness program needs to be tailored to your specific business culture and needs. The end goal should be to keep people in the know and establish and build trust with the employees.

There are a ton of resources and tools available to develop an IT security policy. Some are free and some are for purchase. My favorites include:

Build it up and follow through

As you develop your security awareness program, keep in mind that awareness is not the ultimate security solution. Just like patch management and vulnerability testing, it's part of something much bigger. In a world where arguably the majority of breaches start at the user level, you've got to do something on the people side to keep the Windows environment under control.

It all starts with willingness. Stop checking the box on IT security awareness. Stop being a part of the crowd and squandering good money on security awareness that's just for show. Develop a program and run it like any other critical business function. That's going to require helping to get the program started and then getting out of the way and letting HR do its thing. Set goals for the program and hold yourself and others accountable to see it through.

If you put forth the proper effort, you can minimize user-based risks. Even when a network event or breach occurs, a strong information security awareness program will put you in a much better position to demonstrate -- and defend -- what you were doing and the choices made.

Next Steps

Recommended applications for analyzing Windows security logs

Windows security testing on the cheap

Test your knowledge in Windows security

Dig Deeper on Windows Server troubleshooting

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What's the situation with your IT security policy?
I can’t agree enough with educating users at all levels. An organization’s security defenses are only as good as the most susceptible point of attack, and that is quite often the users. Either users that aren’t that computer literate or, and not really surprisingly, IT employees that know just enough (or think they know it all) that let their security posture get too lax.