13.13 Security Training

Network users usually resist improvements in network security, because security devices and controls can make a complex system even more difficult to operate. Trusted employees often resent having to use passwords to access the network. For these reasons, some security measures may cause delays and reduce productivity. Companies should expect resistance to added rules and regulations and counter this by providing security awareness training. The IT manager, with the aid of the human resources department, must sell the long-term employee on the idea of additional security by implementing bulletin board campaigns and training sessions. At a minimum, security awareness training should include the following:

• A description of tangible security measures, such as locks, keys, card systems, and badges;

• An explanation of password management, including password selection, access privileges, routine password changes, and the need to maintain the confidentiality of corporate information;

• Definitions of sensitive data and procedures for keeping data confidential;

• Procedures for reporting lost or stolen data, software, and hardware;

• Mechanisms for encouraging and implementing employee suggestions for improving security.

Companies should also develop security demonstrations, possibly in the form of a game in which one employee is assigned to penetrate the system while others try to prevent or detect the attack. Games demonstrate how well the system works and involve staff members with the security system. Whatever the result of the game, the company wins. If the attempt fails, the security system is performing effectively. If a security breach occurs, the company has identified a weakness and can take appropriate corrective measures.

Once an acceptable level of security awareness exists throughout the organization, the company should schedule periodic retraining sessions to maintain awareness. All aspects of a security system—the hardware, software, premises, facilities, and personnel—must work in unison and at a consistently high level to safeguard against threats to security.