Pages

Thursday, June 27, 2013

The true End Point is always located between the chair and the keyboard
Problem:
Many CISOs and Security vendors are talking more and more about End Point Protection. Large sums of money are being spent on various Software Suites, Appliances, and implementation of Security Policies to solve this problem. Yet are still exposed to attacks at the End Point. The reason organizations are still exposed to attacks at the End Point is because they are not looking towards the true End Point. The true End Point is always located between the chair and the keyboard.
Over all most organizations spend little time or money on protecting the enterprise from the true End Point. When they do it is most often at the time of hire. New employees and contractors are given a copy of the organizations security policy and asked to sign an agreement to follow it. Does anyone reading this article think that even 5% of them actually read and understand what they are signing?
Requiring users to take Computer based training (typically following the organizations Security Policies) only once (when hired) or even annually is not providing an even marginal return on the meager investment in such training. Some organizations are now even supplementing end user training with a 5 to 20 minute live and in person training. Even this usually amounts to a Power Point presentation of what not to do.
None of these tactics actually do much to protect the true End Point. A piece of paper to sign, CBT programs that user’s click through and in person training all have three things in common. They are ineffective, do little or nothing to change the behavior of the end user and most importantly they most end user’s are not able to actually relate to any of the information to begin with assuming they actually paid attention.
So what is the solution? Let me start by saying that it is not giving end users a list of what not to do in any of the above mention methods. Most end user’s know just enough about how to use a computing device to do their jobs and for entertainment/shopping purposes. The answer is not as difficult or as expensive as one might think. The key is effectively educating the end users.
Solutions:
What is the best way to effectively educate the end users and thus shore up the End Point?
To answer that question, I would like you to first ask yourself a simple question.  Which way do you learn more effectively, listening to an instructor who does little more then tell you what to do/not to do or listening to an instructor who makes the training session not only entertaining but also relates it in terms that you can understand and relate to?
A very small part of my current role is to give a pre-developed Power Point presentation that is….you guessed it, a corporate approved list of things not to do. Most of which are beyond the common non-IT person’s comprehension as to why and even what. The presentation as given to me by corporate management takes approximately 10 minutes to read to the audience of new hires. However, I have found that if I start the presentation with an introduction, a joke, and an apology for the list of do not do’s that I am about to present their attention begins to perk up. I also promise to not speak to them like an IT Security Geek and explain to them how my interests are not just with protecting the organization’s information but I am equally concerned with protecting information that belongs to each and every person in the room regardless as to whether it is work info or personal info. Even though the orientation training is mandatory and typically just tolerated by the new hires, I manage to get their full attention. From the moment I first open my mouth to the conclusion when I offer my email address to anyone in the audience that has a security concern either at work or at home the end users are fully engaged , entertained and most of all interested in learning about all that I have to say.
Issues surrounding Information Security like most other types of information only received once are more often than not forgotten after a period of time. For a relatively small investment Information Security can be kept in the forefront of the end users mind by keeping it current, interesting and entertaining. Rather than or in addition to an annual CBT provide in person training on an annual basis. Send out periodic news letters to all end users about current threats and how those threats can affect their own personal lives and bank accounts. There are several ways to make Security Awareness both interesting and fun, just think outside the box
If End Point protection is an important issue in your organization (as if it could not be) then a concerted effort must be spent on protecting the true End Point. Make it entertaining while keeping focus not only on the security of your organization but also on the personal security of the information for all of your end users. If done correctly everyone wins.

Brad Boynton, CISSP
Former CISO at a US based Medical Device Manufacturer
Redtide69@gmail.com















Posted by at No comments:
Subscribe to: Comments (Atom)