When Dennis Lauer joined the Millennium Challenge Corp. as chief information officer two years ago, the young federal program’s growing pains included a startling lack of security.
It was an almost free-for-all atmosphere, he recalled. Employees installed Apple iTunes on the agency’s network and regularly downloaded malware via pop-ups that harbored malicious code. “Almost every day we had [surreptitious] viruses, and people didn’t know not to click on" them, Lauer said.
The security situation began to change for the better when the office adopted new security policies and practices. Launched in 2004, MCC had adopted a few information technology shortcuts in the early years as the U.S. government corporation embarked on its mission of helping underdeveloped nations. When Lauer arrived at the agency, he had a list of more than 20 noncompliance items from Federal Information Security Management Act audits.
Now when users log on to the MCC network, they are greeted by a Tip of the Day awareness training application, which asks a question about IT security. The system then tracks the responses. Besides giving managers an easy way to assess the agency’s training program, the daily quizzes have also made employees more mindful of security.
“We’ve had a tremendous reduction in viruses,” Lauer said. “Instead of clicking on things, [users] call the help desk. They never used to do that before.”
But not every agency can report such success. Indeed, experts say the goals of user training efforts are still a long way from being realized.
“There is a gap, and the gap is costly because it undermines all the technology being thrown at security problems,” said Keith Rhodes, senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group.
As with any technology solution, the disconnect is often found on the user's side of the keyboard. "No approach to training is infallible because human beings are fallible, and of course, human fallibility is what training tries to counter,” Rhodes said.
A recent survey by CDW Government underscored the challenges of security training. Four out of five federal IT managers said they provide ongoing classes on security policies and procedures. But even then, almost half had seen employees post passwords in public places, violating one of the most fundamental security proscriptions.
The survey highlights one of the hardest tasks in IT security: changing user behavior. Firewalls, intrusion-prevention systems, antivirus software and other security technologies provide some defense against attacks. But they don’t fully address the human dimension. For instance, firewalls won’t prevent an employee from stowing passwords under a mouse pad or engaging in other careless practices.
Agencies hope training programs will keep employees on the straight-and-narrow security path. But how can you tell whether — and to what extent — the message is sticking?
Security managers and industry consultants say there are a few basic techniques for evaluating the effectiveness of IT security training and improving the odds that the lessons will sink in.
Cyber Security Training http://thecyberhoodwatch.com/cyber-security/top-threats-in-2012/
0 komentar:
Posting Komentar