|
Page 1 of 2
By Daniel Wallace
Recently CISCO Systems published its 2009 Mid Year Security Report. I read it last week and found it to be an interesting analysis of cyber crime trends over the past six months.
One of the key themes in the report is that cyber criminals are beginning to function more like corporate entities in terms of business plans, marketing, rapid response to new opportunities, specialization, collaboration, and strategic partnering.
Some organizations have begun offering performance guarantees, 24-hour customer support, and service level agreements.
I can't imagine anyone would call a support desk because the stolen credit card numbers they purchased online didn't work as expected but apparently it's going on.
CISCO also notes a growing number of attacks that exploit the latest and most popular consumer oriented technologies including social networks, Twitter, and SMS.
Based upon this trend the report concludes that the bad guys are recognizing how people behave and using it to their advantage.
If this is true then trends in cyber crime will closely follow trends in consumer behavior. I believe it is time for security awareness campaigns to start doing the same thing.
Web 2.0 technologies and applications have made the internet more collaborative and interactive partially fueling the popularity of social networking.
Nielsen Online reported that by the end of 2008 social networking had overtaken email in terms of worldwide reach. Sites such as Facebook, Twitter, Myspace and Linkedin provide users with a way to build and interact with a community in real time on a familiar platform at a very low cost.
These sites provide users with the ability to broadcast short engaging messages to their online community while providing the reader with a rating, feedback and forwarding system.
It is not my intent with this article to address any of the real or perceived security issues with a particular social networking service.
I'm going to ignore the ROI of both social networking and security awareness programs.
Instead I offer my perspective into how this technology and way of collaborating can be leveraged to make security awareness campaigns more effective.
The qualities that make social networking so attractive to consumers and now cyber criminals are precisely the reasons that make social networking well suited to security awareness campaigns.
Security Awareness 1.0
Consider the elements of the typical security awareness campaign I have observed in large organizations over the past decade and some of the problems I have seen with the tricks of the trade.
Classroom training, lunch & learn seminars and online learning when delivered properly can be effective in delivering a lasting message that impacts behavior but quality formal training programs can be expensive in terms of participant time and development cost.
Periodic messages delivered via email, hard copy, an information security webpage or a SharePoint site while inexpensive are often ignored, missed or misinterpreted.
Information security posters can be found in just about every organization these days. Some are better than others and the investment required will vary widely.
The problem with posters is that they do a poor job of communicating anything.
Reducing a meaningful message to a slogan such as "Ctrl-Alt-Delete when you leave your seat", then pairing the slogan with a picture be it cutesy, dramatic, comical, or puzzling is a distraction that often offends those tricked into looking at them.
Who doesn't love information security chotchkies such as pens, coffee mugs and note pads? In fact the security pen and note pad are perfect for jotting down the complex passwords users are forced to change every 30 days. Not only are these spiffs costly but they can be counterproductive.
Security Awareness Day? This pseudo-celebration of information protection is a pedestrian activity meaningful to few outside of the security silo.
I have observed an incredible feeling of emptiness in the daily routine of some tasked with planning the annual security awareness festival.
Compliance with legislation, standards and regulations such as PCI-DSS, NERC-CIP, HIPAA, and GLB require impacted organizations to conduct information security awareness programs.
This is for good reason; some studies estimate that 85% of security breaches are caused by the actions of a well meaning yet uninformed end user.
The objective of including security awareness in these regulations is to give end users a basic understanding of security practices so that they change their behavior.
Yet the slow unpurposeful way that security awareness is delivered in many organizations creates little value beyond the management assertion that they have such a program.
Ever heard the expression; checking the box?
By adopting social networking technologies it would be possible for security awareness to spread as fast as vulnerabilities in the wild.
Social networking could also give those charged with protecting information the same toolset as those who are most effective at inflicting harm on organizations.
But how can information security take awareness out of the era of the Gutenberg Press and make the transition to Web 2.0? There needs to be a change in two key areas.
|
