Enhancing Employees’ Understanding of Risk

By | November 15, 2004

It’s a dilemma that every IT professional is all too familiar with: heeding management’s call to help keep employee productivity high while fending off increasingly severe threats and vulnerabilities — all at a time when regulatory compliance is more important than ever.

While there are no simple solutions, a security awareness program that emphasizes adherence to security best practices can go a long way toward resolving this face-off.

The changing threat landscape

Educating the enterprise about today’s threat landscape can be a formidable undertaking. One reason for that is the changing nature of the landscape itself. By now, most people are savvy enough to avoid clicking on patently bogus email attachments. But, increasingly, attacks have become more sophisticated, taking the form of blended threats, which pose a significant security issue for companies. Blended threats use multiple methods and techniques to spread and can cause widespread damage very quickly. These threats continue to evolve and have become increasingly successful. Blaster, Welchia, and Sobig are examples of blended threats that tore across the globe in the last year. At one point last summer, companies and individuals had to deal with four high-impact threats in the span of eight days.

At the same time, enterprises are fending off an ever-increasing variety of Internet threats on a daily basis. In fact, more than 100 new viruses and nearly 60 new software vulnerabilities are discovered weekly. The most recent edition of the Symantec Internet Security Threat Report documented a 19 percent increase in attack activity during the first half of 2003. What’s more, vulnerabilities being discovered are increasingly severe. High-severity vulnerabilities give attackers increased privileges and access to more prominent targets. According to the Threat Report, close to 80% of vulnerabilities are remotely exploitable.

Enterprises must also understand that the period of time between the announcement of a vulnerability and the release of an associated exploit continues to shrink, making it increasingly likely that we will see a so-called “zero-day” threat. A zero-day blended threat could target a vulnerability before that vulnerability is announced and a patch made available. Consider: the recent Sasser worm, which began spreading widely on May 1, exploited a hole in a component of the Windows operating system for which Microsoft issued a patch on April 13. The “vulnerability threat window” continues to shrink.

Today’s regulatory environment

Of course, the changing threat landscape isn’t the only force that is affecting information security. The regulatory climate in which enterprises operate has also changed profoundly in recent years. Enterprises are increasingly under regulatory pressure — the governance requirements of the Sarbanes-Oxley Act, the privacy requirements of HIPAA, the homeland defense measures of The Patriot Act, the European Data Protection Act, to name just a few. Failure to comply can result in lost business and customer confidence, in addition to financial and legal liability.

As one CSO recently told CIO Magazine:

“In this time of heightened regulatory and compliance responsibility, most companies find themselves under scrutiny by government agencies, clients, or third-party business partners. As you renew contracts, you will find more and more language about your security practices included, plus requests for statements of policy, practice, and technology strategy.”

To take just one example, consider Sarbanes-Oxley, which the U.S. Congress enacted in 2002 in order to restore public trust in securities, improve corporate governance, promote ethical business practices, and increase the transparency and completeness of financial statements. While Sarbanes-Oxley does not specifically address information security requirements, security has emerged as a critical foundation for compliance. In particular, Sections 302, 404, 409, and 802 of the Act have security implications.

The bottom line: management cannot realistically sign off on the accuracy of their financial statements without proper security controls.

Promoting security awareness

In this environment, it is critically important that an enterprise’s workforce understands information security issues and behaves in a manner that minimizes risks. A corporate security awareness program enables enterprises to improve their security posture by giving employees the knowledge they need to better protect corporate information through proactive, security-conscious behavior. Enterprises must do all they can to promote such a program – one that no enterprise can be without as more and more business is conducted via public networks.

An effective security awareness program provides training and communications resources to help companies meet regulatory requirements for employee security awareness training and reduce vulnerabilities by creating a more security-conscious workforce. The program should be based on security industry best practices and international security standards (such as those embodied in ISO 17799).

By providing knowledge and best practices that employees can use on the job every day, a security awareness program can enable enterprises to comply with regulatory requirements and better manage threats to proprietary information by creating a corporate culture in which employees actively participate in protecting that information from cyber attacks, unauthorized access, and fraud.

Best practices

So what would be included on a list of security best practices? The following far-from-exhaustive list was offered in the most recent edition of the Symantec Internet Security Threat Report:

* Turn off and remove unneeded services.

* If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

* Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

* Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

* Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif, and .scr files.

* Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

* Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.

* Ensure that emergency response procedures are in place.

* Educate management on security budgeting needs.

* Test security to ensure that adequate controls are in place.


IT departments continue to be asked to do more with less, and to act more quickly and with greater impact on business success. By actively promoting a security awareness program, enterprises are better positioned to use resources effectively as security threats and regulatory pressures increase.

Technology alone cannot protect enterprises from constantly evolving threats. Enterprises need a combination of people, processes, intelligence, and technology working together to maintain an optimal security posture.

Leave a Reply