Security Awareness

Contributed by IT Committee

"In 1994, a French hacker named Anthony Zboralski called the FBI office in Washington, pretending to be an FBI representative working at the U.S. embassy in Paris. He persuaded the person at the other end of the phone to explain how to connect to the FBI's phone conferencing system. Then he ran up a $250,000 phone bill in seven months."¹

You read about it time and time again: a security breach caused by unaware employees who simply did not know what they were doing; breaches that could have been avoided if employees were just made aware not to open an unknown attachment, click on a link, or provide Non-Public Information (NPI) to what they thought was the Help Desk or a co-worker. It has been well substantiated that Security Awareness training is the best way to deter security breaches caused by employees.

In March 2007, Missouri Employers Mutual contracted with SunGard Availability Services to conduct a security assessment. This assessment included testing of perimeter or external facing systems, social engineering, internal facing systems and physical security. The information gathered from this assessment was used to help develop and structure MEM’s security program. While we did perform well from a system perspective, this assessment did prove that human behavior, if left to uniformed decision making, was an area we definitely needed to improve upon. The exercise further illustrated that humans are the most vulnerable link in the overall security process. As part of MEM’s data privacy and security project, we decided that a security awareness program was necessary and essential to MEM’s long-term success.

MEM’s Security Awareness Program

Following are the vision and mission statements that were developed for MEM’s security program—and consequently the awareness program—to clearly and concisely convey the programs' direction:

• Vision Statement - Ensure the availability, integrity and confidentiality of  MEM's information.

• Mission Statement - Provide a security program to protect policyholder equity by ensuring corporate information necessary for legal, administrative, fiscal or historic purposes is reliable, timely and secure.

Security awareness is one of the most overlooked but critical components in any corporation's repertoire of security tools. MEM's program consisted of the following items:

• Company wide Kick-off Meeting
•  Pre-Assessment Online Quiz
• Formal training from FishNet Security
• Security Awareness Articles on Intranet Site with Quizzes
• Post-Assessment Online Quiz 

Company-wide Kick-off  

To kick off our security awareness program at MEM, we had a company-wide "Lunch and Learn" meeting to discuss identity theft. A professional pickpocket and Certified Identity Theft and Risk Management Specialist, Gene Turner, wandered the crowd during lunch. While he discussed identity theft with the audience, he targeted individuals to lift wallets and watches.

Mike Croy, Assistant Vice President of Loss Prevention, checks his pocket after realizing Gene is holding his wallet.

Essentially, Gene was able to correlate the lifting of wallets and personal items to stealing personal identity information in other manners, as well. This entertaining demonstration made it easy for employees to grasp concepts and was an impactful kick-off to a successful security awareness program.

To measure the level of improvement with the security program, we conducted a pre-assessment quiz before rolling out security awareness and training. This gave us the baseline against which to compare results at the end of the program.   

Security Awareness Training  

Security awareness training at MEM was provided by FishNet. It was mandatory and consisted of the following modules:  

1. Protecting Confidential Information  

2. Protecting your Computer and Network

3. Mobile Computing

4. Physical Security

5. Social Engineering

Security Awareness Articles on Intranet Site  

Security awareness articles developed by MEM’s security administrator were designed to reinforce the training employees received from FishNet. The theme for the series of articles was, “Don’t let it happen to you.” 

     Article 1:  Protecting Confidential Information
     Article 2:  Mobile Computing and Protecting your Computer and Network
     Article 3:  Physical Security
     Article 4:  Social Engineering, Pharming and Phishing

Conclusion  

Everyone has a role insecurity awareness; sometimes people just don't realize they have a role and its importance. Security awareness is an ongoing endeavor, so you can never rest on your laurels.  MEM will be conducting another security assessment this fall and will post several security awareness articles on our intranet site during cyber security month in October.

¹Bruce Schneier – “Secrets and Lies”

Resource Links:  

NIST (National Institute of Standards and Technology) — Building an Information Technology Security Awareness and Training Program.  

SANS (SysAdmin, Audit, Network, and Security) — Free resource area.

Gene Turner - Certified Identity Theft Risk Management Specialist and a Pickpocket Entertainer   www.pickpocket.com