When Dennis Lauer joined the Millennium Challenge Corp. as chief information officer two years ago, the young federal program’s growing pains included a startling lack of security. It was an almost free-for-all atmosphere, he recalled. Employees installed Apple iTunes on the agency’s network and regularly downloaded malware via pop-ups that harbored malicious code. “Almost every day we had [surreptitious] viruses, and people didn’t know not to click on” them, Lauer said. The security situation began to change for the better when the office adopted new security policies and practices. Launched in 2004, MCC had adopted a few information technology shortcuts in the early years as the U.S. government corporation embarked on its mission of helping underdeveloped nations.<\/p>\n","protected":false},"excerpt":{"rendered":"
When Lauer arrived at the agency, he had a list of more than 20 noncompliance items from Federal Information Security Management Act audits.<\/p>\n
Now when users log on to the MCC network, they are greeted by a Tip of the Day awareness training application, which asks a question about IT security. Besides giving managers an easy way to assess the agency’s training program, the daily quizzes have also made employees more mindful of security.<\/p>\n
“We’ve had a tremendous reduction in viruses,” Lauer said. “Instead of clicking on things, [users] call the help desk. They never used to do that before.” <\/p>\n
But not every agency can report such success. Indeed, experts say the goals of user training efforts are still a long way from being realized. “There is a gap, and the gap is costly because it undermines all the technology being thrown at security problems,” said Keith Rhodes, senior vice president and chief technology officer at QinetiQ North America’s Mission Solutions Group. “No approach to training is infallible because human beings are fallible, and of course, human fallibility is what training tries to counter,” Rhodes said.<\/p>\n
Four out of five federal IT managers said they provide ongoing classes on security policies and procedures. But even then, almost half had seen employees post passwords in public places, violating one of the most fundamental security proscriptions. The survey highlights one of the hardest tasks in IT security: changing user behavior. For instance, firewalls won’t prevent an employee from stowing passwords under a mouse pad or engaging in other careless practices.<\/p>\n
Security managers and industry consultants say there are a few basic techniques for evaluating the effectiveness of IT security training and improving the odds that the lessons will sink in. At MCC, new employees receive IT awareness training as part of their orientation, and the security tip of the day provides ongoing reinforcement. MCC officials keep tabs on employees’ security awareness by tracking responses to those daily quizzes via a monthly performance report.<\/p>\n
Organizations with multiple locations always face a tough challenge when it comes to developing and measuring the success of training programs. The state is 18 months into a four-year initiative that will meld the IT operations of 16 executive branch agencies under the statewide Office of IT. “To get metrics to prove that end-user security is working, you’ve got to be in a consolidated environment,” said Seth Kulakow, Colorado’s chief information security officer. Consolidation will provide the consistency required to gather the correct metrics, he added.<\/p>\n
Barr recommends that agencies use internal IT security employees to conduct quarterly vulnerability assessments and external experts for annual vulnerability assessments.<\/p>\n
Elsewhere, Colorado’s Kulakow has recommended making an employee’s adherence to security policy part of his or her performance evaluation.<\/p>\n
Content filtering and data loss prevention are among the products agencies can use to counteract human nature, said Keshun Morgan, a networking and security specialist at CDW-G.<\/p>\n
Tip no. 1: Make employee testing simple and routine
\nTip no. 2: Check what they do, not just what they know
\nTip no. 3: Put security in personal terms
\nTip no. 4: Invoke consequences for misbehavior
\nTip no. 5: Always remember the limits of training<\/p>\n
http:\/\/fcw.com\/articles\/2010\/01\/25\/feat-cybersecurity-training-a-must.aspx<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-211","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/211","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=211"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions"}],"predecessor-version":[{"id":2698,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/211\/revisions\/2698"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}