Security Awareness Blog

Communications - WHO

In a earlier posting we focused on communication, specifically how this was critical to any successful awareness program. We also broke communication down into three key categories; WHO, WHAT and HOW. Every awareness program should always start with WHO first. WHO you communicate your awareness program to determines WHAT information you will communicate, and HOW. So, lets taker a closer look at the WHO part, it is not as simple as it may seem (this is a theme you will see repeatedly for awareness :).

  • Employees: Okay, this is where almost every awareness program starts, and to be honest this is where most of them end. Obviously employees are the most important sub-category of WHO, as they are often the largest part of any organization. But they are not the only group.
  • Contractors: Contractors play an important part in many organizations, often having just as much access to classified information or critical systems, but are often forgotten or not included in any awareness program. This is because they are often more difficult to reach, they come and go and may be on board for only a short time. Some contractors may never actually set foot in the organization, but working remotely thousands of miles away. If your organization has contractors, you are going to need a program that applies just for them. WHAT you teach them content wise will most likely be the same as your employees, but HOW you do it may different due to the transient or remote nature of contractors.
  • Management: Management is often one of the toughest nuts to crack. With any awareness program there are really two goals. The first is to get their buy-in and support of the awareness program. The second part is actually making them aware. Often senior management are the least aware ("I don't have time for awareness training") but can also be the primary target (think spear phishing or senior management traveling to conferences with key, classified data on their laptops). We will spend more time on the HOW part on ways best to reach this category.
  • IT Staff: Often these guys are the ones that can do the most damage, they have the most critical access. When an employee messes up their laptop gets infected. When an IT admin messes up, your whole network gets owned. I know of one case where an IT admin was logging into free porn sites that required he use a login and password. You guessed it, he used the same login and password that he used to administer the local netorks. Needless to say, they got totally owned. As a result, you will need a modified awareness program for IT Staff. Often you need to teach them the same things employees are taught, but you need additional items, such as administrative account management.
  • Customers: Now here is a category most organizations never consider, but should. Often the weakest link in any organization is not the organization itself but its customers. Two common examples are banks and telcos. Often these organizations deal with security issues caused by customers. Banks are the classic example where most bank accounts that are compromised are the result of infected desktops that had the passwords stolen (for more on this, see the excellent series at Brian Krebs blog).

This is a brief overview of where I recommend organizations start with identifying WHO is the target of their awareness program. If you have any other suggestions for categories please leave a comment, we want your suggestions and input! In the following posts we will discuss WHAT content you want as part of your program, and finally the hardest part, HOW.