Implementing User Education

Implementing User Education

One of the most powerful tools available to a security administrator is the body of network users, who may notice and draw attention to unusual access methods or unexpected changes. This same body of users also creates the greatest number of potential security holes, because each user may be unaware of newly emerging vulnerabilities, threats, or required standards of action and access that must be followed. Like a chain, a network is only as secure as its weakest linkand users present a wide variety of bad habits, a vast range of knowledge, and varying intent in access.

When planning for user notification of new threats, such as a virus or an email-distributed agent of mischief, it is crucial that your solution includes a means of communication other than that affected by the potential threat. For example, it will do little good to warn users of a new email bomb via email if the bomb has already affected your avenue of distribution.

User education is mandatory to ensure that users are made aware of expectations, options, and requirements relating to secure access within an organization's network. Education may include many different forms of communication, including the following:

• New employees and contract agents should be provided education in security requirements as a part of the hiring process.

• Reminders and security-awareness newsletters, emails, and flyers should be provided to raise general security awareness.

• General security policies must be defined, documented, and distributed to employees.

• Regular focus group sessions and on-the-job training should be provided for users regarding changes to the user interface, application suites, and general policies.

• General online security- related resources should be made available to users through a simple, concise , and easily navigable interface.

It is important to locate a suitable upper-level sponsor for security initiatives to ensure that published security training and other requirements are applied to all users equally. Hackers, crackers, and other agents seeking unauthorized access often search for highly placed users within an organization who have exempted themselves from standard security policies.