The importance of network security education

With all the headlines lately of companies finding their customer data and systems compromised, network security is increasingly a key focus for businesses. No matter how tightly your administrators lock down firewalls, servers, monitor systems and so on, there is always a way in. No network is ever totally impenetrable. Your IT department can proactively curb and prevent unauthorized access to systems and data, but those efforts only go so far. To maximize your security, educating your employees is a must.

Employees bring unknown variables to the table when it comes to network security. Which devices do they use every day? Do they bring external hard drives, phones, laptops or tablets from home? What do they download? Which attachments do they decide to save and open?

While your employees don’t necessarily have to be “L337 hax0rs,” there are a few key areas of education that will help facilitate a more secure network environment.

1. Personalize the benefits of security

Unfortunately, most people view network security at their office as “not their problem.” It’s one of those magical areas that is handled by IT. Rules are occasionally issued to all employees, but end users are able to take a passive approach. To change this viewpoint, make your employees feel more involved in security by highlighting how steps and procedures at work can be applied to their own information to prevent identity theft, credit card fraud and so on. Almost everyone buys things online and/or digitally saves photos and files they’d hate to lose. When you can relate your company security policies to personal use, it makes it a lot easier for everyday, non-technical people to become eager to adopt those practices when they see it protects them as well.

2. Solve the password conundrum

Most businesses don’t have the luxury of new biometric systems, smart cards or other password-less methods for employees to use network systems and resources. Those things, while really cool, are pricey. Because of this, password authentication is the most common method for logging on to network resources and company machines.

The problem: can you enforce good password security without compromising it at the same time?

We’ve all seen those Post-it notes with passwords written on them. The more complicated your administrators make password requirements, the more Post-Its you’ll find on monitors and keyboards. Ironically, the common concept of “secure passwords” is something that’s easy for computers to break but difficult for people to remember.

While you want your employees to stay away from using common single words or phrases or even personal dates and names, making them have a password 15 characters long consisting of alternating letters and numbers with no less than 4 capital letters, 3 numbers, special characters on the second and 5th position… I think you get where I’m going with this. I’m quite sure Albert Einstein never intended his field equations to be used as everyday login passwords.

Your best bet to solve the password dilemma is word associations. That’s right, an expanded version of Catch Phrase makes for better passwords that are harder for automated systems to crack and easier for people to remember. Put three or four random words together, such as:

“team answer faster food” or “peter likes picked peppers”

Slightly modifying those phrases and word strings a bit makes it even more secure, such as:

“sally wentu pthe hillside”

Encouraging word phrases for passwords will provide added security to your employee’s accounts while simultaneously reducing the cost of Post-Its on your supply budget.

3. Commit to continuing education

Security is an ongoing, ever-evolving business need. Every day, new threats emerge, new technologies become more commonplace and, thus, your employee training must also be ongoing. Most companies will do a security briefing for employees at hiring and then never again. That’s just not enough training. The dialogue about security, best practices and the types of threats needs to be an ongoing conversation. You need to give them reminders and updates.

Personally, I like to send out office-wide emails about critical security threats even if they aren’t necessarily things that affect the corporate network. It goes back to making it personal. If there is a new critical security flaw in software such as Java or Internet Explorer that is patched in the office, I still pass out a non-technical description of the problem so employees can pass the information along to friends and family and be secure using their home devices as well.

4. Be cautious, but not overzealous

Tinfoil hats and rampant paranoia aren’t required for good security, but caution and awareness are prerequisites. Employees need to know that opening suspicious emails, links, attachments or downloads is not worth the risk – even if they know the source. While your IT department can filter a lot of those bad things in various ways, there is always room for malicious programs to gain entry to your network. All they need is one unsuspecting employee to set it free under the guise of something innocent like viewing vacation pictures from a coworker.

You definitely don’t want to take precaution to extremes, though. Making it too difficult for employees to receive or send files introduces other issues of security risk as they try and bypass those restrictions. You also don’t want to scare them so much they are afraid to open anything and end up missing the invitation to the company picnic.

Your employees should also be encouraged to speak up to your IT department if anything unusual happens on their computer or other electronic devices. Even if it turns out to be something trivial, employees shouldn’t be intimidated about speaking up when they see small abnormalities, as they could be signs of a legitimate problem or risk.

Abnormalities can also extend to social interaction as well. All forms of social engineering should be reported. Explain the importance of exercising caution when receiving unusual phone calls or emails from people claiming to be affiliated with the IT department or requesting remote access information.

5. Simplify

Your IT department needs to do what it can to make security easy on the employees. Most of your employees aren’t technical experts and over-complicating procedures and policies will only lead to your employees ignoring them or finding shortcuts around them. When you start making things too complex, you can quickly cross a point where you security measures are self-defeating. Automate password change intervals, set security and antivirus software to update automatically, automate software updates and so on, so that you don’t make security a burden or a drain on productivity.

At the same time, making things too simple and too automated causes complacency and reduces awareness. When your employees don’t see a need for security because it all gets magically done for them behind the scenes, they are more likely to adopt a more aloof attitude. Why concern yourself with something that just happens automatically? That kind of situation can be just as bad as making things too burdensome.

Security education won’t make your network impenetrable or totally secure, but it can make things safer and more secure than your IT department can do alone. Educated employees can be even more useful and important than the expensive firewall that protects your network. Now if you’ll excuse me, there is a Nigerian prince who needs my help freeing his fortune…

Post by Anthony Damiano

Anthony Damiano is a technology and security professional with over 20 years of experience, an actor and producer, former U.S. Marine and experienced geek. Anthony held management positions at Universal Pictures, NBC Television and the Motion Picture Association of America and also works as a consultant in information security and as a developer on many open source projects. He is also an amateur chef, hobby artist and Super Villain in training.