Security Awareness for IT Employees
Stating that information security is everyone’s job is not something new; just try asking any person in charge of awareness efforts how many times they have done so. Even if your company has a dedicated security team, it is very important to let every employee know that they have a shared responsibility for the company’s data protection.
Since information security is so closely linked to IT protection, most would assume that IT workers would be way ahead of the game, quite aware that they play a major role in data protection and would not stray from secure behavior, following security rules without questioning and helping in the early detection of security related incidents. The simple truth is that most of the time IT employees are among the biggest insider threats to security.
The Importance of Security Awareness for IT Employees
Let’s list a few good reasons why security awareness for IT employees should be a major concern for all organizations:
- An employee just like any other: For starters, IT team members are employees and, just like any other person who works at your company, they are bound to follow corporate guidelines for IT security. Having them participating in security education/awareness efforts may be mandatory for some organizations but, even if that is not the case, it is important to understand that security requirements, policies, guidelines, standards, and procedures will vary a great deal from business to business. If a company assumes a person will promptly understand/accept/follow the corporate security rules and be conscious of the specific threats to the business without having any prior training and awareness, that is a really poor managerial decision.
- Resistance to rules: Having just stated that IT employees are workers just like any other, it may sound contradictory that now I point out a major difference in behavior. The truth is that IT people, the same ones who most of the time are required to enforce security, are not very fond of following rules. For instance, if there is a problem with whatever spreadsheet software they are using, an IT worker may reinstall the software by himself to solve the problem instead of contacting the service desk.
Not only that, but in some cases IT employees may know how to easily circumvent rules: If the USB devices are blocked, if a website is not allowed, if a specific application is not installed, for a typical user that would be it. For an IT user, it may be a simple question of messing around with system settings, changing a registry entry, or using a portable proxy avoidance tool.
So, since standard security controls may not be that effective with IT employees, the only option is making them aware of the risks of not following rules; this should not only cover the threats to the company, but should also make clear the consequences violators will face.
- IT workers make the same mistakes: Putting aside intentional bad behaviors, most security incidents related to IT employees will be caused by simple mistakes. For instance, if a company does not enforce complex passwords or does not have password management software, it is almost certain to find people within IT using the simplest passwords and even writing them down in easily found places.
Developers are another group that can inadvertly create security flaws: it is not at all uncommon for someone having trouble with a syntax error to download sample source code and use it without any concerns for security; but it gets even worse, because misguided developers may simply share a piece of sensitive code on a public online forum in search for help.
The fact is, while IT employees may be more comfortable with technology, they are not invulnerable to simple mistakes, and that includes falling victim to in-person social engineering, opening attachments from unknown sources, downloading software from outside the official stores, clicking on links in social media sites, etc. Again, even though IT employees are expected to know that this is a risky behavior, incidents are bound to happen without proper security awareness training.
- A prime target for cybercriminals: Since we already established that IT employees can make the same mistakes as normal users, it is not at all difficult to understand why they are a prime target for attackers or cybercriminals. Most of the time, IT personal have access to sensitive information. This may come in the form of administrative rights, source code access, documentation, physical access to restricted areas such as a datacenter, advanced operational system features, and almost unrestricted network/internet access, to name only a few examples.
Now, if a regular user falls victim to a phishing scam and inadvertly shares his password, it can either be a minor or major issue for the company, depending on what the user does and his level of access. If an IT user falls for the same scheme, it is much more likely to cause a high level of harm to the business. Even the most basic IT functions are a common place for sensitive access. Many entry positions such as IT technicians may have administrative rights on user computers or file shares; a DBA or developer with access to the production environment (not recommended by the way) may expose sensitive files, documentation or even access to critical system.
Security Awareness: How to Educate IT Employees
What is the best approach to “inoculate” employees and prevent both deliberate and unintentional security incidents from IT personnel? The answer is creating an awareness program that reflects the level of harm an employee may cause to business.
This will require a proper understanding of the audience and developing awareness pieces accordingly, while a part of the awareness material will be designed for the employees as a whole, some of it must be created specifically for key areas such as IT or even an IT-subset (i.e. coders, DBAs, network administrators).
Here are some tips that can be quite useful in bringing your awareness program up to speed:
- Your audience already knows the basics of technology: Simple as that, since we are talking about IT employees, it is reasonable to assume that they already have a good understanding of tech, otherwise you would not have hired them. As with any audience, speaking in a language they fell comfortable is of key importance if you wish to get your message through. With a general employee group, using technobabble may not be the best idea, but since we are talking about IT geeks, this approach can be of great value to get their attention going.
- The basics of information security: Now, understanding technology and even being an expert in some related areas may not require a profound knowledge of information security, so it is always best to not assume IT employees are already proficient with information security. There is no harm in starting from the basis, so some effort should be made to ensure that things like basic concepts, terminology, procedures, guidelines, and policies are well understood. This can be accomplished real easily by creating a security handbook (that can also be used with non-IT employees) and having quick presentation sessions.
- Be specific: IT employees can work in several different areas that are subject to specific risks. While it is important to have your entire team aligned on the general terms, there is little to be gained from spending resources and time educating an employee about a subject that does not involve his line of work. For instance, server admins may not be required to know more than the basic concerns of coding vulnerabilities and your development team does not need to be concerned with the operational system’s security settings. Again, it is all dependent on knowing and understanding your audience.
- Whenever possible, use real examples: More often than not, IT personnel will be directly involved in dealing with security incidents. While it is important to avoid over-exposition of past issues, having practical examples pertinent to the company’s risk scenario is one of the best approaches to accomplish awareness. For example, if a company has a history of malware infection or, even worse, suffered a ransomware attack, it is always good to discuss it with the tech team and point out whatever security controls were missing and, if there was malicious intent, what the consequences were and what has improved to help avoid further occurrences.
The human factor has been and will remain a major part of most data breaches or any other type of security incident. IT employees can either be a source of vulnerability or one of the most resilient combatants in a company’s information security efforts; it is all a matter of being aware and adequately trained.
While IT people in general have more experience and are even easier to educate on security matters, it is important not to underestimate the level of exposition that may arise if IT employees are not part of security aware efforts. Simple unintentional mistakes can become major incidents that may impact operations, financial results, and even the image/reputation of any business.