Informing the masses about security policies
The most secure network environment is useless if users don't respect the need for security. In fact, if left alone, most humans find the path of least resistance when performing regular activities - like leaving a notebook unattended in an unlocked car. In other words, users will do anything to make traversing security simple - such as automating password entry, writing down passwords in plain view, mapping unauthorized drives, installing unapproved software, transferring data to and from work and home on flash drives, and attaching modems to bypass firewalls or proxy servers. If you use software-based or operating-system-based security measures, users often find ways around them, or to reduce their effectiveness.
User education is a two-pronged process:
- First, network users must understand what security means, why it's important, and what measures are in place on your network.
- Second, violations of security policy and practice must be dealt with swiftly and strictly.
Educating network users
In most cases, educating network users means preparing an official document that details and explains all security restrictions, requirements, and punishments. This document, known as a security policy, serves as a network constitution, or its governing body of regulations. It also helps maintain network security and lets violators know they'll be prosecuted.
So, what does a user need to know about security imposed on an organization's network? Here's a brief list of highlights:
- Use passwords properly and choose them wisely. (Don't use an obvious name or number, such as a pet's name or your birth date.)
- Never write down or share passwords.
- Never share security badges and smart cards or leave them unattended.
- Restrict network access to authorized employees only.
- Don't share user accounts with other employees or with anyone outside the organization.
- Don't distribute data from the network in any form outside the organization.
- Don't step away from your workstation while you're logged on to the system.
- Understand the various levels of security in place on the network and the purpose of the stratification.
- Don't install unapproved software.
- Make it clear to all employees that tampering, subverting, or bypassing security measures is grounds for termination of employment.
- Respect the privacy of the organization and other users.
- Deal with violations of the security policy in a swift and severe manner without reservation or exemption.
Punishing users for violating the security policy
If a user violates a significant clause in the security policy, a severe punishment must be applied. In most cases, firing the individual is the only form of punishment that controls the situation effectively and prevents other users from making the same mistake. The repercussions of violating the security policy must be detailed in the policy itself. And if you spell out the punishment, you must follow through. Even if your top programmer is the culprit, he or she must receive the same punishment as a temporary mail handler.
Most analysts have discovered that deploying a severe security policy results in a common pattern - a short-term improvement in security, followed by a brief period of laxness, which results in violations, causing several users to be fired, which then results in an overall sustained improvement in security. Companies have reported that the loss of manpower because of violations was negligible in comparison to the prevention of security breaches.
You should create your own security policy that includes details about physical control, user education, and operating-system-level security measures. Remember the adage about the ounce of prevention. (It beats a pound of cure, every time.)
