A colleague of mine recently posted a blog about the Black Hats getting the job done and rightfully so. Hackers have been pillaging the countryside lately. How many company compromises have there been over the last 3 months? More than there should be!
Yes, the White Hats get it, but it’s just going to take time. It will take diligence, time and more time. We all know security awareness training is the key, but how can we all make this *really* effective? We all know, or at least should, that training needs to be on-going and updated with new and relevant content. It needs to be consistent with the times and not some ‘ad hoc’, outdated SAT program.
So, say we have a good solid security awareness program in place and it’s ready to go. Now the challenge is how do we get our employees to listen, learn and practice these security guidelines? There are three options. One is to provide the training and just pray and hope people listen and follow it. Well, we know how successful that has been. Two, we provide training and have some type of reward system. If a manger or member of the audit team was to discover a good security finding, such as an employee questioning a person entering the corporate office without a proper name badge (stopping someone from piggybacking in) and then reporting this to security. This is a good thing so far! For this good task, a notification goes out to the company about this great deed along with a $25 gift certificate to Home Depot or the like. Another option is risk factor (punishment). What if a person’s was fined or fired for not adhering to a company’s information security policy? What if an executive’s compensation was directly related to information security metrics/goals? What if an employee is fined $50 dollars for having their password on a post-it on their desk?
The White Hats can do it, but it will require a shift in approach and behavior. All of this will take time and diligence. Who said it was going to be easy? Nothing worth doing is every easy…or so the saying goes.
Tim Trow is a Senior Consultant at Zensar.