How Are Organizations Handling Social Networks?

I hear a lot about social network use being banned in the workplace, so I was interested to see the results of a survey that asked just this question. From the results that they gathered, it would appear that most organizations either ban social network use entirely (54% of those surveyed), or limit use to business purposes only (another 19%). Only about 1/4 of organizations allow any degree of personal use.

However, many of your employees are probably using social networks – whether they’re banned in the workplace or not. Another recent survey showed how prevalent the use of one social network (Facebook) was, with nearly half of surveyed employees using Facebook during working hours with some using it for up to 2 hours each day.

We’ve Banned It, So We Can Ignore It …

When I talk with organizations, the primary reason for banning the use of social networks seems to be that they’re considered to be a significant productivity drain. And that’s probably true. But there’s also an element of concern about the security aspect, and the assumption that banning social networks in the workplace will solve that problem entirely.

The simple facts are:

1. Unless you block access with web filtering tools, many of your staff will continue to use these sites in the workplace despite any bans.
2. Staff using social networks outside the workplace still pose a significant threat.

Let’s look at this latter one a little more closely. In a recent blog post – Social Engineering Using Facebook – I wrote about how a security consultant was able to use information publically available from employees’ Facebook profiles to carry out an (authorized) attack on a company, and I noted that:

… banning social network use in the client’s workplace would probably have made very little difference since many of their employees – especially those expressing disaffection – would probably have continued to post the same information to Facebook from home.

It’s not just disaffected employees who are a problem. For example, you need to worry about IT staff posting technical questions to support groups that might give a hacker a hint about the systems that you’re running or a security hole you’re trying to fix, former-employees posting information to their LinkedIn profiles that detail the systems that they worked on when employed by you, executives providing enough information in interviews that a clever social engineer could impersonate them …

If you haven’t taught your employees to be careful about what they post, you’ve left a big hole in your defences.

What Should You Cover in Your Training?

So you’ve decided to grasp the bull by the horns and address social networking in your awareness training program. Wht should you cover?

Let’s start with the issues that are faced if social networks are being accessed from your company systems – either with or without your permission. (If you’ve blocked access to all social network sites, then you can probably skip this section). The good news is that they’re pretty much the same set of problems that you face with any Internet access by your staff – downloading infected files, clicking on links and popups that install spyware … but with the added complication that your employees might be lulled into a false sense of security because they’re “among friends”. Furthermore, there are more than 50,000 Facebook thid-party ‘applications’ (according to Facebook), and these applications aren’t all safe. And don’t forget basic email security since most social networks include their own messaging capabilities that could bypass antivirus tools installed on your email gateways.

So here are some of the topics that you’ll probably want to cover:

• What are viruses, worms, and spyware?
• Installation of malware through:
  • Piggyback installation.
  • Drive-by downloads.
  • Browser add-ons.
  • Pop-up ads.
• Fake antivirus and antispyware software.
• How to check (regular) hyperlinks.
• The dangers of “shortened” links.
• Using different passwords on social networks and work accounts.
• Basic email security – especially:
  • Malware infections in attachments.
  • Recognizing phishing and spear-phishing emails.

Now the issues that you’re going to have whether you ban social networking at work or not – your employees posting inappropriate and/or sensitive information online. They should be taught that:

• Privacy controls are critical. Anyone using a social network should take some time to make sure that they understand the privacy controls that it offers, and to make sure that you’ve set them up correctly to restrict access to your personal information – not just use the default settings.
   
• Information posted online should never include anything that might compromise the security of your organization. There are probably some obvious things to avoid (network information, anything about the security systems that have been installed …) but you’re going to have to help them understand what other things might be critical.
   
• They should also try to avoid posting information that might be used as a security question e.g. mother’s maiden name, pet’s name, name of high school. Posting this online could be making it easier for an identity thief.
   
• Make it clear that these restrictions apply as much to IT staff (and executives!) as other staff. In particular, you should point out how online support forums can be a treasure trove of information for hackers.
   
• Users of social networks should be selective when adding friends and connections, and (as far as is possible) try to ensure that they really are who they claim to be!
   

Final Thoughts

I just wanted to leave you with a few final thoughts:

• If you’re not already doing it, you should post or distribute, and have employees sign a policy that defines what they shouldn’t be posting – either as part of your Acceptable Use policy, or as a separate document. As well as making it clear how important social network security is, it might also provide you with some legal protection should the worst come to the worst.
   
• You might want to talk with your legal counsel about any restrictions that might be in place during company “quiet” periods that might affect what your employees can post online, and then include this in your training materials.
   
• As I noted in my earlier post – Social Engineering Using Facebook – if you’re responsible for an organization’s security, you really should be monitoring the social networking space as best you can to detect:
  1. Inappropriate posting of information relating to your organization by your organization’s staff
  2. The fraudulent use of your organization’s name/identity
  3. Bogus accounts set up in the name of your organization’s staff

   

Here are three of the ways that I’ve seen poor delivery kill awareness training programs.

1. Classroom Training with Poor Presenter(s)
2. Web-Based Training That’s Too Complex
3. Too Much Glitter in Web-Based Training

I think we all remember really good teachers and really bad teachers from our school days. And we also tend to remember what the good teachers taught us. Security awareness training is no different.

If you’re going to do your training in the classroom, you’ve got to be prepared to find good presenters – whether that’s someone already in your organization, or hiring someone from outside.

At the risk of generalizing, your information security and/or IT staff are seldom the right people to be handling this. Not only are they rarely comfortable in presenting to audiences, they tend to allow themselves to be drawn into too much technical detail (see also my recent post – “Don’t Get Bogged Down in How To“).

One final note … hiring an outside presenters such as an information security expert/consultant can have the side benefit that the message may be perceived as more important, and help you to avoid the “Oh no … Steve from IT yet again” factor. This is especially important if you’re presenting to managers and/or executives. And perception, as we all know, is at least half of the battle!

If you decide to use Web-based training rather than classroom sessions, you don’t have the problem of finding teachers with great presentation skills. But you still have to design the content well, and you’ve given yourself another potential problem – you need to be able to get the training materials from your server(s) to the students’ browsers and have it function correctly there.

If your training program requires plugins that aren’t on students’ computers:

• Many (most?) of your students won’t bother to try to install them.
• Even if they try, they may not be able to do so because they may not have the appropriate privileges.

In the past, many training programs have used Flash extensively. However, with an increasing number of attacks being aimed at Adobe products (see, for example, my post from December last year on “Security Problems with Acrobat and PDF Files“), I’ve seen more and more organizations deploy desktop images without Flash being installed. And relying on plugins is likely to get worse as we see increasing use of mobile devices since many of them don’t support Flash at all.

Relying on Java can also cause problems. The firewalls deployed by many organizations will block Java applets so you might not be able to use externally-hosted courses.

This is a case where plain vanilla – HTML + JavaScript – is probably best.

Games and interactive activities in training courses can be very useful. They can reinforce the points being made, or break up a course so that students don’t get bored.

But too much focus on glitter (games, animations, videos) rather than content can:

1. Obscure the basic message that you’re trying to get across, which should be as simple and as clear as possible.
2. Make it more likely that you’ll have delivery problems e.g. plugins
3. Make it (much) more expensive to create and maintain

I’ve found that students who play games in online courses often remember the games, but frequently can’t remember the point that the course was trying to make.

If the information you’re presenting is perceived as valuable by students, you don’t need much (if any) glitter. Focus on finding the “value proposition” for students – why should they care about what you’re teaching – and you don’t need games to interest them.

Some quick notes before I finish:

• Audio and video are NOT interactive unless you count the student clicking on the ‘play’ button. They can be valuable as alternative ways of transferring knowledge – some students will learn more readily from audio or video rather than the written word – but they’re not without their own problems. For more discussion of this, see my post on “Using Audio in Courses” from August last year.
   
• Note that I’m not dismissing the value of simulation-based interactive activities in online courses e.g. “click on this image to show how you you would change your privacy settings in your browser”. These actually address a different part of the learning process – “Practice”, where you’re trying to move the students from a state of “Conscious Competence” to “Unconscious Competence”, rather than “Awareness” or “Training”. For more about this, see my recent post on “Awareness, Training and the Four-Stage Learning Model“.
   
• Group case-studies in the classroom can be invaluable in breaking up a lecture, involving the students, and also allowing the teacher to wander the classroom addressing specific issues. Sadly (in my experience) it doesn’t work nearly as well in synchronous web-based training classes (e.g. GoToMeeting sessions).
   

Next time … programs that are too expensive to run on an ongoing basis.

Don’t.

You have very limited time and a lot of topics to cover. And most of your students will forget any detailed information that you cover. So focus on the bigger picture. Make them aware of the threats, and what they need to do in broad-brush terms. Then provide students with easy access to the “how to” information so that they can find it when they need it.

Here are some ways you might provide the “how to” information to your students:

• an HTML page on your organization’s intranet or SharePoint site
• the library section of your organization’s LMS
• a handout in class
• a downloadable PDF file
• a poster or notice in a prominent place
• instructions printed on a mouse mat
• a shortcut on the desktop of your standard PC image

and probably many more.

The mention of the audience is important here – what’s appropriate for an IT group is seldom useful for a group of average PC users, and what’s useful for the PC users probably won’t be as valuable for workers in a warehouse or distribution center.

But, bearing that in mind, here are four of the ways that I’ve seen programs fail because of the wrong content.

1. The Content is Too Technical
2. Compliance Training About Regulations – Not Topics Specified by the Regulations
3. The Training is Entirely Work-Related
4. The Training Ignores Known Security Problems

Probably the most common failing of security awareness training programs is that the content is far too technical for the average user. As a result, the students “tune out” the course and, all too often, any other courses that follow.

Usually, the reason is that the development of the training was delegated to someone from the IT/IS group. This can result in a great course but, more often, it results in one that’s not right for the target audience. For example, I remember one end-user training program that started with a 90 minute course on information security risk assessment – an interesting topic for some of us, but much too complex for the average office worker.

Developing high quality training material is a skill in its own right, and very few people possess that skill as well as in-depth domain knowledge. So, in the training industry, this problem is often addressed by separating out the roles of:

• Subject Matter Expert (or “SME”)
• Instructional Designer (or “ID”)

The SME is responsible for the technical background to the course, and for making sure that it’s accurate. The ID takes the information that the SME has provided, breaks it down, and presents it in a way that the target audience will understand. Understanding the difference between these two roles will help you determine the right people to develop your awareness materials.

Security awareness training programs focused on regulatory compliance sometimes fail because they concentrate on teaching students about the regulation rather than about the subjects specified by the regulation.

For example, imagine that you’ve been tasked with providing security awareness training for Gramm-Leach-Bliley Act (GLBA) compliance. So you go out and find a course (or write your own) that explains what GLBA is, how it came about, the penalties for non-compliance, and so on.

When you’ve finished, you have a great backgrounder on GLBA. However, as noted in an earlier post on this blog, the FTC-issued guidelines for organizations implementing measures to meet the GLBA Safeguards rule say that organizatiosn should:

Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:

• locking rooms and file cabinets where paper records are kept;
• using password-activated screensavers;
• using strong passwords (at least eight characters long);
• changing passwords periodically, and not posting passwords near employees’ computers;
• encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
• referring calls or other requests for customer information to designated individuals who have had safeguards training; and
• recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.

I’m not saying that discussing the regulation isn’t of value – it’s vital to provide a context for your students: why they should care, the penalties for failure to comply. But the focus of the security awareness program should be on security.

This one may be a little more controversial, but I’ve seen quite a number of programs fail to have any real impact when they focused the training materials entirely on the business issues.

The reason for managers wanting to do this is understandable – after all, it’s not their job to teach people about how to keep themselves secure at home. In addition, some managers have expressed concerned about liability that they might incur if they teach students something that backfires.

But, my personal feeling is that they’re missing the critical point. If you can engage students and show them how good security practices can benefit them personally, they’re going to pay more attention to what you’re teaching. I’ve taught classroom sessions on malware (viruses, spyware), passwords, social engineering … and the look on students’ faces when they realize how it relates to their own life tells you that they “get it”. If they then transfer even a small part of that back to the work environment, you’ve gained something very important.

Here’s an earlier post on this blog that discusses the same thing in the context of teaching students about avoiding identity theft.

This is an interesting one, and one that I hadn’t really thought too much about until I was involved in a training needs assessment project.

I talked to a number of students in one organization about the security awareness training that they’d received. Almost unanimously, they told me that they considered the training to be of dubious value because it didn’t even mention a major security hole that they all saw each and every day – sensitive documents left lying on printers in common areas. Their logic – if it didn’t cover that one simple problem, why should they take the rest of the training seriously?

Presenting students with training that they see as unrealistic is a sure way to make them ignore it.

Next time … how poor presentation can cause a program to fail.

In Theory

Let’s start by considering a widely-used 4-stage model that describes the progression of students from incompetence to competence in a skill. Here’s how it can be portrayed:

And here’s how the 4 stages are typically defined:

1. Unconscious Incompetence
The individual neither understands nor knows how to do something, nor recognizes the deficit, nor has a desire to address it.

2. Conscious Incompetence
Though the individual does not understand or know how to do something, he or she does recognize the deficit, without yet addressing it.

3. Conscious Competence
The individual understands or knows how to do something. However, demonstrating the skill or knowledge requires a great deal of consciousness or concentration.

4. Unconscious Competence
The individual has had so much practice with a skill that it becomes “second nature” and can be performed easily (often without concentrating too deeply). He or she may or may not be able teach it to others, depending upon how and when it was learned.

Ref: Wikipedia – http://en.wikipedia.org/wiki/Four_stages_of_competence

These map, pretty well, onto what we see in the workplace (oblivious of security issues, realize there are security issues but don’t know what to do about them, know what to do when they think about it, and behave in a secure way without having to think about it).

Obviously, our ultimate aim is to move our students from Stage 1 (not recognizing security threats, and/or not knowing what to do when they see them) to Stage 4 (good security practice being second nature).

So how do the terms “awareness” and “training” map onto this model? “Awareness” is basically the process by which we try to move students from Stage 1 to Stage 2 by helping them to recognize what is going on, and how their current practice is insufficient. “Training” is the process by which we try to move students from Stage 2 to Stage 3 by telling them how to deal with the threats we identified during the Awareness phase.

And what of the other two transitions? Stage 3 to Stage 4 can only be achieved through “practice” – repetition of the newly learned behavior until it’s second nature. Stage 4 to Stage 1 is (sadly) out of our control as educators. It occurs when the students forget what they learned, or become sloppy, or the threat environment changes.

In Practice

In the workplace, the value in treating “awareness” and “training” as separate programs is less clear. Most of us who’ve been involved in setting up a training program for an organization know all too well that the time available for students to cover information security is extremely limited. A typical organization might allocate a few hours of training time during the new hire (or “onboarding”) process, maybe an hour each year for refresher training, plus a few minutes from time-to-time during staff meetings.

Given this lack of time, we’re basically forced to deal with the awareness and the training aspects in one course, or session, or presentation – perhaps supplemented with short reminders (emails, posters …) from time-to-time after that.

This is a case where the practical realities don’t align very well with the theoretical distinctions, and the reason why most of us talk about “awareness training” as a single term.

The laws/regulations dicussed in the article include:

1. Digital Millennium Copyright (DMCA) Act
2. No Electronic Theft (NET) Act
3. Anti-Counterfeiting Trade Agreement (ACTA)
4. Court rulings regarding border searches
5. State and federal laws regarding access to networks
6. “Tools of a crime” laws
7. Cyberstalking and Cyberbullying laws
8. Internet gambling laws
9. Child pornography laws
10. Pro IP Act

Fascinating reading, with a lot of gray areas in some cases.

1. The information that they contain is inappropriate for the audience (usually far too complex).
2. The presentation of the information is dull or dry.
3. The program is too expensive to run on an ongoing basis.
4. Students don’t have enough time to take the training.
5. The program doesn’t fit with other training initiatives in the organization.

I’m not going to try to rank these in any kind of order. But, over my next few posts, I’m going to look at each of these in turn, try to identify the pitfalls, and give you some suggestions that may help you avoid them.

But security awareness training for the reps in a call center provides some challenges. In particular:

1. Staff (rep) turnover rate can be high, and the average length of employment short.
2. Staff often don’t have (company) email accounts.

Let’s look at each of these factors in turn.

High Staff Turnover

There’s really no such thing as a typical staff turnover rate for a call center – figures vary widely. For instance, a survey by Purdue University’s Center for Customer Driven Quality (CDQ), quoted in “Call Center Management: People Versus Technology” by Drew Robb, shows a very wide range.

And a survey conducted by International Customer Management Institute (ICMI) in 2000 reported on the ICMI website showed the following data for average full-time staff retention periods:

Although not presented, one would expect the average retention period for part-time staff (such as seasonal staff employed during holiday seasons) to be much shorter. Overall, it would be fair to say that the turnover rates are generally a lot higher than in many other types of organization.

So what does this mean for security awareness training?

1. Continuous recruitment throughout the year means that it can be difficult to schedule classroom training sessions. So training should be “on demand” which, these days, typically means web-based training.
    
2. Because of the relatively short retention periods – especially when recruiting reps for seasonal vacancies – the learning curve needs to be as short as possible. Therefore, extended training classes aren’t going to be practical, and a highly condensed and customized course/class is advisable.
    
3. The administrative effort in setting up and managing student accounts and tracking training must be minimized. Therefore automation is critical which, once again, typically means web-based training.
    

Emails

Many web-based training systems rely on email for login identification, and for other communications with students. But not all call center reps have company email accounts, or access to email at work. So you may not be able to rely on this. If you’re looking at a web-based training system, make sure that it doesn’t depend on your students having email accounts.

Course Content and Presentation

As noted above, the time available to train your reps is going to be very limited, so you’re probably going to want to have a highly condensed and customized course/class that covers the specific business processes that your staff will be dealing with. For example, if you don’t have company email for reps (see above), you won’t need to deal with email security, and if you don’t deal with information on paper, you won’t need to cover document retention and destruction in the same way as you would if your reps deal with paper orders and invoices.

If you’re not going to develop the course/class yourself (and I’d recommend that you don’t), you can probably find a number of providers who will be able to work with you to develop the content you want. Look for a couple of things:

• A provider with a library of existing content that can be used as the basis for your training so that you’re not re-inventing the wheel.
   
• A provider who stresses simplicity in their approach to presenting the information so that the course is succinct and focused rather than presenting the students with numerous external links, games, exercises, pop-quizzes …
   

And a final note – since call centers, by their very nature, involve audio communications (telephone calls), it might be tempting to make heavy use of audio in your training courses. Don’t. As this blog post talks about, excessive use of audio can:

• Increase course development and maintenance costs.
   
• Use additional network bandwidth which might cause operational problems.
   
• Slow down the learning process.
   

Use audio sparingly – perhaps including some sample rep-client conversations. But don’t narrate every slide since it will slow the learners down considerably.

Other Considerations

Here are some other things you should think about when looking for a security awareness training solution for your reps.

• Regulations such as PCI DSS and HIPAA don’t just require staff to receive training – they require staff to read and acknowledge security policies. Doing this on paper could quickly become overwhelming for your administrators – especially when auditors come in and start asking for reports – so look for a training system that will also handle policy signatures and reporting online.
   
• Security isn’t the only area which requires staff training and policy affirmation, so ask around your organization to see if there are other areas that could share the system (and cost!).
   
• Managers, supervisors and IT staff are probably going to need to receive additional training. This isn’t (generally) subject to the same constraints as the training you need to provide to reps, but they should take the same basic training regardless and then receive additional courses/classes as required.
   

Summary

Here are the key things that (I think) you should do when developing or purchasing a security awareness training solution for your call center reps:

1. Use web-based training. The system that you need should:
   1. Automate student management processes as much as possible.
   2. Incorporate policy signature management within the same system as the training.
   3. Allow use by reps who don’t have company email accounts.
   4. Be extensible to other training and/or policy signature needs within your organization.

    

2. Provide reps with a highly condensed course/class customized to your organization’s specific needs. Base this on existing materials wherever possible, and don’t get too fancy with the presentation – training time is of the essence.

[H1N1] affects us in the workplace. If an employee has a small child and they don’t have a stay-at-home caregiver, expect that they’re going to miss more time than in prior years … Also, you may want to suggest that employees with sick children stay at home even if they aren’t the primary caregiver, just to minimize workplace infections.

Andy then goes on to talk about the components of a telework plan that could be used to minimize the disruption.

An interesting post and, with the recent weather-related travel problems on the East Coast, even more timely. There are going to be times when you need staff to work from home, and sometimes this may not be pre-planned. So, in addition to the components that Andy outlines in his blog, you might want to think about some of the training aspect of this. In particular:

1. If an employee working at home is going to be:
   • accessing your IT systems remotely; and/or
   • making work-related phone calls from home; and/or
   • taking a work laptop computer home; and/or
   • doing work on a home computer; and/or
   • taking work-related documents home

   you must make sure that he/she understands the additional security issues that result from working outside your organization’s perimeter. In particular, you’re going to want to caution them about ensuring the physical security of sensitive data (documents and computer resources) and, if appropriate, show them how to remotely access your network securely.
    

2. The training that you provide needs to be “on-demand” because you’re unlikely to know exactly when it’s going to be needed, and it should be provided as close to the time that it’s needed as possible i.e. not a year ahead of time.
    
3. The training needs to be accessible remotely, typically through the Internet. Ideally, the training won’t require the employee to access your network remotely, but will be hosted on a server that has a web-interface.
    
4. A policy and procedure(s) need to put in place to deal with this contingency, and all line managers who might have staff working remotely should be made aware of this. The policy and procedure(s) are going to cover more than just security (see Andy’s blog post for more suggestions about what they should cover) and may well be related to your business continuity plans.
    

If there ever was a topic that’s perfect for web-based training (remotely-accessible and on-demand) this is it!