D ATA S E C U R I T Y
xxxxxxx
breaching corporate security will use the
same tricks and traps to gain access to
sensitive information at a personal level.
With the rise of teleworking and Bring
Your Own Device polices (BYOD),
hackers are now targeting individuals
outside of the workplace to try and gain
indirect access to remotely connected
systems.
Where Next?
Organisations are under constant pressure to strengthen IT security.
awareness programs can also be run
by people with communications,
marketing or learning backgrounds.
Organisations should deploy people that
both understand the best practice and
effectively reach and engage others.
Starting with IT
The natural starting point to raise
awareness should be the IT department.
And this should also include users
that access sensitive applications. For
example, a UNIX Admin, storage
manager, web developer: all roles that
need to have a core understanding of
IT security best practice. In many cases,
these are staff members with good
technical skills, but often not formally
trained on IT security, as it is not within
the remit of the job. Yet, even a simple
mistake by a developer that exposes a
customer portal to a cross site scripting
attack, or a mis-configuration of a SAN
that allows sensitive data to travel across
an unsecured network can do just as
much damage as a well-orchestrated
cyber-attack.
This has led to organisations such as
the SANS Institute to develop courses
such as SEC401: Security Essentials
Bootcamp Style, which is designed
to give technical staff a rounded
20 NETCOMMS europe Volume V Issue 5 2015
understanding. The course has an
entry-level junior sibling in the SEC301
Introductory information security
that offers senior management from
areas such as HR, compliance and
legal a foundation in the application
of computer security. Both six day
courses are led by experienced
instructors all with at least a decade’s
worth of experience in IT security
and more importantly teaching skills
backed up with hands on examples.
The more in-depth 401 looks at 5
key areas; Networking Concepts,
Defense In-Depth, Internet Security
Technologies, Secure Communications
and operating systems such as Windows
and Linux. The course was taken by
3,000 individuals in 2014. Not only
does it help to build better IT security
skills, many participants also sit the
corresponding Global Information
Assurance Certification (GIAC) exam
which offers a recognised qualification.
Properly trained staff can also propel
the message and best practice further
into the organisation as well as helping
to define sensible IT security policies.
Yet training should also be considered
as helping to teach employees that
Infosecurity should be a lifestyle position.
The message should be that the same
organised criminals that are intent on
With all the theory, what are the
practical steps that organisations can
take to institute security awareness and
Infosecurity training? The first step is
identifying what skills the organisation
is lacking and what types of user
behaviours can benefit from a change.
Most organisations start and stop with
targeting all employees and contractors
in their organisation with the same,
standard training. However after closer
analysis, an organisation may identify
different roles that require additional
or more specialised security awareness
training, such as IT staff or executive
assistants. In addition, the organisation
may identify different departments,
business units or perhaps even
international offices that have unique
requirements, such as translation.
Finally, the organisation might discover
that it also needs to have training for
people outside the organisation, such
as customers, vendors or other third
parties. By clearly identifying the scope
of your programme and who you want
to reach, you can then create a more
effective plan.
Keep in mind, it is not necessary
to create a totally unique programme
for each target, nor do you have to
train them all at once. What tends to
work best is to start by developing a
baseline programme that applies to
everyone in the organisation. Once that
is rolled out, the organisations can then
build and deploy more specialised or
additional training for different roles
or departments. As more regulatory
frameworks start to emerge and
governments begin to treat information
security training with the same level of
seriousness as health and safety training,
more organisations will be forced
to hurriedly act. For the progressive
organisations, it might be wise to bolt
the stable door before it’s too late.
www.netcommseurope.com