Comments (0)

All too often, I hear about security awareness training programs that fail. Here are some of the reasons that I hear:

1. The information that they contain is inappropriate for the audience (usually far too complex).
2. The presentation of the information is dull or dry.
3. The program is too expensive to run on an ongoing basis.
4. Students don’t have enough time to take the training.
5. The program doesn’t fit with other training initiatives in the organization.

I’m not going to try to rank these in any kind of order. But, over my next few posts, I’m going to look at each of these in turn, try to identify the pitfalls, and give you some suggestions that may help you avoid them.

Comments (0)

Call centers often handle highly sensitive information for customers including financial data such as credit card details, Social Security numbers, and bank account details; and, in some cases, health information. This means that they need to comply with an increasing number of regulations such as PCI DSS and HIPAA which require security awareness training for all staff including full-time, part-time, temporary, and seasonal reps.

But security awareness training for the reps in a call center provides some challenges. In particular:

1. Staff (rep) turnover rate can be high, and the average length of employment short.
2. Staff often don’t have (company) email accounts.

Let’s look at each of these factors in turn.

High Staff Turnover

There’s really no such thing as a typical staff turnover rate for a call center – figures vary widely. For instance, a survey by Purdue University’s Center for Customer Driven Quality (CDQ), quoted in “Call Center Management: People Versus Technology” by Drew Robb, shows a very wide range.

And a survey conducted by International Customer Management Institute (ICMI) in 2000 reported on the ICMI website showed the following data for average full-time staff retention periods:

Although not presented, one would expect the average retention period for part-time staff (such as seasonal staff employed during holiday seasons) to be much shorter. Overall, it would be fair to say that the turnover rates are generally a lot higher than in many other types of organization.

So what does this mean for security awareness training?

1. Continuous recruitment throughout the year means that it can be difficult to schedule classroom training sessions. So training should be “on demand” which, these days, typically means web-based training.
    
2. Because of the relatively short retention periods – especially when recruiting reps for seasonal vacancies – the learning curve needs to be as short as possible. Therefore, extended training classes aren’t going to be practical, and a highly condensed and customized course/class is advisable.
    
3. The administrative effort in setting up and managing student accounts and tracking training must be minimized. Therefore automation is critical which, once again, typically means web-based training.
    

Emails

Many web-based training systems rely on email for login identification, and for other communications with students. But not all call center reps have company email accounts, or access to email at work. So you may not be able to rely on this. If you’re looking at a web-based training system, make sure that it doesn’t depend on your students having email accounts.

Course Content and Presentation

As noted above, the time available to train your reps is going to be very limited, so you’re probably going to want to have a highly condensed and customized course/class that covers the specific business processes that your staff will be dealing with. For example, if you don’t have company email for reps (see above), you won’t need to deal with email security, and if you don’t deal with information on paper, you won’t need to cover document retention and destruction in the same way as you would if your reps deal with paper orders and invoices.

If you’re not going to develop the course/class yourself (and I’d recommend that you don’t), you can probably find a number of providers who will be able to work with you to develop the content you want. Look for a couple of things:

• A provider with a library of existing content that can be used as the basis for your training so that you’re not re-inventing the wheel.
   
• A provider who stresses simplicity in their approach to presenting the information so that the course is succinct and focused rather than presenting the students with numerous external links, games, exercises, pop-quizzes …
   

And a final note – since call centers, by their very nature, involve audio communications (telephone calls), it might be tempting to make heavy use of audio in your training courses. Don’t. As this blog post talks about, excessive use of audio can:

• Increase course development and maintenance costs.
   
• Use additional network bandwidth which might cause operational problems.
   
• Slow down the learning process.
   

Use audio sparingly – perhaps including some sample rep-client conversations. But don’t narrate every slide since it will slow the learners down considerably.

Other Considerations

Here are some other things you should think about when looking for a security awareness training solution for your reps.

• Regulations such as PCI DSS and HIPAA don’t just require staff to receive training – they require staff to read and acknowledge security policies. Doing this on paper could quickly become overwhelming for your administrators – especially when auditors come in and start asking for reports – so look for a training system that will also handle policy signatures and reporting online.
   
• Security isn’t the only area which requires staff training and policy affirmation, so ask around your organization to see if there are other areas that could share the system (and cost!).
   
• Managers, supervisors and IT staff are probably going to need to receive additional training. This isn’t (generally) subject to the same constraints as the training you need to provide to reps, but they should take the same basic training regardless and then receive additional courses/classes as required.
   

Summary

Here are the key things that (I think) you should do when developing or purchasing a security awareness training solution for your call center reps:

1. Use web-based training. The system that you need should:
   1. Automate student management processes as much as possible.
   2. Incorporate policy signature management within the same system as the training.
   3. Allow use by reps who don’t have company email accounts.
   4. Be extensible to other training and/or policy signature needs within your organization.

    

2. Provide reps with a highly condensed course/class customized to your organization’s specific needs. Base this on existing materials wherever possible, and don’t get too fancy with the presentation – training time is of the essence.

Comments (0)

In a blog posting entitled “H1N1 and telework,” Akamai’s Senior Director of Information Security and Chief Security Architect, Andy Ellis, writes that:

[H1N1] affects us in the workplace. If an employee has a small child and they don’t have a stay-at-home caregiver, expect that they’re going to miss more time than in prior years … Also, you may want to suggest that employees with sick children stay at home even if they aren’t the primary caregiver, just to minimize workplace infections.

Andy then goes on to talk about the components of a telework plan that could be used to minimize the disruption.

An interesting post and, with the recent weather-related travel problems on the East Coast, even more timely. There are going to be times when you need staff to work from home, and sometimes this may not be pre-planned. So, in addition to the components that Andy outlines in his blog, you might want to think about some of the training aspect of this. In particular:

1. If an employee working at home is going to be:
   • accessing your IT systems remotely; and/or
   • making work-related phone calls from home; and/or
   • taking a work laptop computer home; and/or
   • doing work on a home computer; and/or
   • taking work-related documents home

   you must make sure that he/she understands the additional security issues that result from working outside your organization’s perimeter. In particular, you’re going to want to caution them about ensuring the physical security of sensitive data (documents and computer resources) and, if appropriate, show them how to remotely access your network securely.
    

2. The training that you provide needs to be “on-demand” because you’re unlikely to know exactly when it’s going to be needed, and it should be provided as close to the time that it’s needed as possible i.e. not a year ahead of time.
    
3. The training needs to be accessible remotely, typically through the Internet. Ideally, the training won’t require the employee to access your network remotely, but will be hosted on a server that has a web-interface.
    
4. A policy and procedure(s) need to put in place to deal with this contingency, and all line managers who might have staff working remotely should be made aware of this. The policy and procedure(s) are going to cover more than just security (see Andy’s blog post for more suggestions about what they should cover) and may well be related to your business continuity plans.
    

If there ever was a topic that’s perfect for web-based training (remotely-accessible and on-demand) this is it!

Comments (0)

PDF documents are no longer the security panacea we thought they were. And security awareness training needs to catch up with this.

For years, IT and security professionals have been advising people to distribute documents in PDF format rather than as Word .doc files. In part, this prevents the average user from making changes to the document, but it was also perceived as being more secure since Word files were known to contain macro viruses.

Sadly, the security advantages are no longer so clear-cut. It’s been known for a while that Acrobat Reader – the software that’s installed on the majority of business and home PCs – has some security problems (but, to be fair, it’s hard to find a piece of software that doesn’t). Now, csoonline.com has posted a warning that hackers are taking advantage of a vulnerability in Acrobat Reader. And here’s the official post from Adobe on December 14 which says:

This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild.

So, we have to make sure that our security awareness training includes the following advice to end-users:

1. All applications – including Acrobat Reader – must be kept up-to-date with security patches. This is not limited to Microsoft products and the Windows operating system.
    
2. Since hackers may try to attack before security patches are available for applications, we should be extremely careful with documents from unknown and/or untrusted sources.
    
3. Although today’s antivirus software is very good, we can’t rely on it 100% because it takes time for updated signature files to be distributed and installed during which time we might be vulnerable to attack.
    

I don’t think there’s anything really new here – just a reason to check that our awareness training is accurate, and to remind staff of the threats that are out there. And perhaps to think about whether we really need fancy formatting, or whether plain text would do just as well!

Comments (0)

Banning social network use DOESN’T prevent it being used for social engineering attacks.

An excellent article in Dark Reading describes how a security consulting company carried out an (authorized) social engineering attack on a client using information gleaned from Facebook. The client’s staff had posted information about what they did for the client (job titles, phone numbers, and email addresses) and personal data (appearance, height, weight, family background) – enough information for the consultant to create a bogus business card and then bluff his way into the client’s offices. In fact, as the article says:

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

After reaching the goal of accessing the network, he departed at the end of the business day. Later that evening, he returned to the empty office building to conduct a late-night hacking session. As usual, numerous credentials and passwords were obtained from insider sources. Within a short period of time, he had accessed the company’s sensitive secrets.

Scary stuff. However (and I’m going to write this in bold because it’s so important) …

Banning social network use in the workplace would not have prevented this attack from being successful!

The important point to note about this (excellent) article is that banning social network use in the client’s workplace would probably have made very little difference since many of their employees – especially those expressing disaffection – would probably have continued to post the same information to Facebook from home.

Far better, surely, to engage the workforce and explain to them the dangers of social networks – whether used from a company system, or from home.

And one additional thing – if you’re responsible for an organization’s security, you really should be monitoring the social networking space at all times to detect:

1. Inappropriate posting of information relating to your organization by your organization’s staff
2. The fraudulent use of your organization’s name/identity
3. Bogus accounts set up in the name of your organization’s staff

Comments (0)

Most of us are familiar with URL shortening websites such as bit.ly, tinyurl.com, and is.gd. It’s one of the technologies that’s fuelling the explosive growth of social networks such as Twitter – after all, 140 characters isn’t a lot of space to fit a message if most of it is taken up with a URL!

But the use of URL shortening can be a major headache since a shortened URL could obscure the real target address and, as a result, it could be used to redirect the viewer to an unexpected site such as a phishing website, or a website infected with malware.

So what should we teach our students about shortened URLs? I have to confess that I’m at a bit of a loss here. The only things that I can suggest are:

1. Links provided by people who are known to you are – generally – going to be safer than those provided by strangers. However, Twitter and Facebook accounts have been hacked and used to send out malicious links, so knowing the sender isn’t 100% safe.
    
2. Links that have ‘context’ are likely to be safer than links that don’t. For example, if a tweeter (is that the right term?) has been writing about learning management systems for a while, and then includes a link in a tweet that claims to be the URL for a website about e-learning, it’s probably going to be OK. If that same person suddenly posted a link with the text ‘Find out more about weight loss supplements’, it would be out-of-context and you should be VERY wary.
    
3. Keep all of your software up-to-date in case you’re directed to an infected website.
    

Beyond that, I don’t know what to say. I know that Twitter and some of the URL shortening services have started to address the problem – Twitter by checking the destination of links entered into tweets, and URL shortening services by providing a preview service – but neither of these approaches seems to have solved the problem right now.

Anybody have any other advice?

Some Further Reading

• Twitter quietly checks tweeted URLs – draws criticism (Infosecurity Magazine)
• Wikipedia – URL Shortening – Criticism
• Google search for “URL shortening security threat”

Comments (0)

Following my post about McAfee’s 12 Scams of Christmas, here’s some safe shopping advice from the FBI. Good source material for a seasonal security awareness message to your staff.

Comments (0)

Along the same lines as my recent post on photocopiers and information security, a friend of mine tells me that, in his organization:

… we have a major issue with people leaving scanned expenses on a shared drive. It’s great technology, but easy to forget the obvious.

Again, we have messages for two audiences:

1. For All Staff – Be aware that scanners attached to PCs may well store copies of scanned documents on a local or networked hard drive, and those copies may be accessible to other people using the same computer. This is especially important to remember if you ever use a scanner outside your organization’s office e.g. at a Fedex/Kinkos, at a client site, at home, in a library …
    
2. For IT Staff – As far as possible, try to ensure that copies of scanned documents aren’t stored in public disk space. If that’s not possible and you handle sensitive documents, designate certain PCs+scanners as acceptable for sensitive documents and restrict access to those PCs.
    

As my friend says, the obvious is easy to forget.

Comments (1)

An article in a recent issue of Business Week highlighted security issues with software produced by Adobe – especially Adobe Reader which is widely used in small and large organizations. The article quotes Kapersky researcher Roel Schouwenberg saying “Adobe at the moment, is the main target.” And the article goes on to suggest that “Adobe” (presumably meaning Acrobat Reader) has replaced “Microsoft” (presumably meaning Windows) as the primary attack vector for hackers.

Attacks on vulnerabilities in application software rather than in the underlying operating system are hardly new. Anyone in the information security world can probably reel off a list of similar cases without too much difficulty. And all information security awareness training should remind students that applications must be kept up-to-date just as much as the operating system and antivirus software.

But this article also provides you with an opportunity to bring security to the attention of business managers. Often, attempts to educate managers on security issues use links and references to IT websites, or to information security blogs. And, all too often, managers ignore these sources because they have no real feel for whether the information is valid, or whether it’s just hype. But a well-written article in a reputable business journal – one that they might well subscribe to – is likely to be read and accepted far more readily.

Try sending a copy of this (or a similar article) to your business managers combined with an appropriate call-to-action (for example, “I’d like to use this opportunity to talk about security at our next staff meeting”), or ask to have it included in the next company newsletter. The weight carried by the journal will make it much easier for your message to be accepted.

Using an article or report from a well-regarded business source – the medium – conveys the message that this really is an important business issue – not just IT hype.

Comments (0)

The Washington Post talks about a recent FBI warning that hackers are increasingly attacking law firms and PR companies using spear-phishing emails. These emails – previously used against military and defense targets – contain hyperlinks or file attachments which launch a malicious payload that can allow hackers to access the target’s network. Once they’re in, the hackers look for sensitive data – often linked to large corporate clients doing business overseas.

Sometimes, we focus so much on security issues relating to personal information (Social Security numbers, health information, addresses), financial transactions (credit card numbers, bank account details) and state security (military and defense secrets) that we forget other information can be extremely valuable to criminals.

You can find further news and warnings on the FBI Cyber Investigations Program website.