Network Security Starts With Education

What often goes overlooked is the education aspect of network security, which is a shame, given it’s importance.  There are three types of security access controls: administrative, physical and technical. Much of the glitz falls upon technical controls, such as fancy software packages that utilize complex algorithms to encrypt data. Less energy is often dedicated to physical security measures (fences, guards, locks) but their effect is never questioned, so most users understand their utility. As such, administrative controls tend to get both little respect as well as less attention.

The weakest chain in any security system is often the human element, which is why hiring, education and management policies and procedures often have the greatest impact on an organization’s overall security. Without the proper background checks, a hiring process could result in a criminal being invited into an organization. With improper training, even the most ethical of users could inadvertently delete sensitive data. And without security focused management techniques, managers might turn a blind eye or even encourage security risks to be taken in the name of expediency.

New Signature often begins every security audit with a review of the basic administative procedures, including documents detailing how users are hired, trained and let go. What happens when an employee is let go with cause? Without a formal, robust procedure, endless headaches can arise, involving physical security and legal requirements. Once those procedures are thoroughly reviewed, we often move on to ensuring that resources are properly classified and roles are established for every user in the organization. All HR procedures tend to involve some level of security awareness, so each standard operation (promotion, retirement, etc) should have an accompanying policy affecting a user’s rights. Finally, establishing ownership of security through holding managers responsible for their employee’s actions is key.

Once the foundation is set, a good audit will then move towards ensuring that personnel are properly trained on the various security mechanisms in place. Letting employees know that credit card information may not be transferred over insecure mediums is the responsibility of a secure organization. Many organizations simply assume that the proper technical controls can circumvent employee misbehavior, yet when a technical control fails for some reason, employees must be held responsible, so proper training is vita.

The final component of administrative security is proper testing. Much like a fire drill in an elementary school, without performing an actual dry run, any security system (either physical, technical or administrative) must be considered brittle. Regular testing helps ensure that when a procedure needs to be implemented (such as a user departing) all the various quirks have been ironed out in advance.