Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, October 24, 2005

Security awareness training: How to educate employees about spyware

We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft.  Security practitioners have two defenses at their disposal: the human and the technical.  While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it.  That means the best defense is the human one—employees and end users.  They can help in the battle against spyware through security awareness training and information security policies.

Educating end users about spyware should be part of any comprehensive security awareness training.  It should be part of at least half-day or, preferably, whole-day training required by all employees at all levels, from the executive suite down to the receptionists and security guards at the front door.

Training should be a condition of employment with mandatory attendance noted as part of annual performance reviews.

As the number of security threats keeps growing every year, training should be updated annually and employees should be required to take it once a year.  Training conducted in groups of a few dozen at a time will not disrupt daily operations, yet it can still cover the entire staff over the course of a year.  Your IT/ Information Security staff members should have the background to put together and conduct training without having to look elsewhere.

Reinforce training efforts with monthly newsletters that include security awareness tips.  Internal publicity is a real morale booster.

Policies for preventing spyware are similar to those for protecting a network from other uninvited malware, such as viruses, worms and Trojans.  The most effective policy is to prohibit employee access to the Internet altogether.

Spyware/malware policies include prohibiting users from downloading software from the Internet, including file-sharing software and toolbars, and prohibiting users from visiting questionable Web sites, the most obvious being pornography and gambling sites.  “Users are advised to report to the Help Desk suspicious activity on their desktops, such as excessive pop-windows opening simultaneously, unusually slow desktop performance or their Web browser being redirected to unwanted sites, such as pornographic or gambling sites.”

Posted on 10/24