Bring your own devices (BYOD), USB flash drives, signing into compromised personal web-based accounts from work, and shared passwords. These are some of the reasons for information security professionals to train their employee user base, even when it’s about apparent non-work related computing resources.
Becoming visible to your non-security enterprise end users as a security resource is key. The more your users interact with you in a security context, the better off your organization will be. End-user outreach programs, lunchtime online safety and online parenting safety classes are just a few examples of time well-spent when it comes to your end-users being more communicative with you.
We’ve all seen computer security incidents where the first indicator of an event was an end-user’s help desk issue in the form of full disks, password problems, and slow networks. Infosec professionals should leverage the helpdesk trouble ticket system as early-warning RADAR.
As this may be the first sign of an issue, you want to encourage the use of the help desk for all reports and that means following up on trivial tickets and thanking the reporter and consistently reminding them that it’s in their best interest to report everything.
More progressive organizations ensure that home user information security practices and training are available to employees so they don’t do something at home that could potentially impact the organization’s security posture.
That thumb drive of baby pictures coming from an infected home PC will bypass your security perimeter. That jail broken smart phone will be plugged in to charge and mount on the work PC. That salesperson’s laptop will be used for personal surfing on the road. All of these are threats to the enterprise, and while we can create policies and procedures to limit the exposure, providing expertise, software and training will help to backstop those policies and procedures.
The other advantage of working with your user’s knowledge of overall infosec practices is that you can take the better ones and make them more responsible for overseeing and reporting issues in their areas of operations. That effectively gives you a reserve information security force as well as organizational visibility into end-user practices and concerns.
For additional information and an enterprise IT security officer’s perspective read: If You Host It, They Will Come