Security breach control

Dubai’s Department of Economic Development is raising security awareness among its staff via Symantec’s Security Awareness Programme.

  • E-Mail
By  Sarah Gain Published  July 25, 2005

|~|DED-Body.jpg|~|Internal security breaches can be just as damaging and costly to an organisation as an external attack.|~|Employees are just as likely to cause a security breach as a malicious hacker. As phishing, denial of service attacks, credit card frauds and other external security threats grow in severity and sophistication, it is not surprising that organisations are spending vast amounts of money protecting their IT infrastructures.

Few organisations in the Middle East are aware of the internal security risks that exist within every company, however. Internal security breaches can be just as damaging and costly as an external attack, yet such threats are often under-estimated, and rarely attract the same level of investment or resources as external attacks.

While recent cases worldwide have highlighted the need for firms to ensure they have adequate checks in place as part of their recruitment processes, and also have systems to discover potentially suspicious activity on the part of their employees, it is often a lack of awareness that causes the most damage to organisations.

“By accidentally opening an infected attachment or sharing a password with an unscrupulous colleague, an employee could unwittingly cause untold disruption to the organisation’s entire system,” says Ali Ibrahim, deputy director for executive affairs at Dubai’s Department of Economic Development (DED).

It is for this reason the DED took the decision to implement a bilingual corporate security awareness program from Symantec to raise employee awareness of information security. Designed as a web-enabled e-learning initiative, the programme offers a suite of courses that will enable employees to understand the crucial significance of information security, in addition to teaching them various methods to ensure the security of sensitive information.

“The DED is the first government department in the UAE to implement such a programme, which shows its keenness to empower all employees to take an active role in the protection of their organisation’s resources,” says Ibrahim.

Like many organisations, the department has a variety of files, programmes and databases, ranging from general availability to highly restricted information and all employees have pre-determined access rights on the system depending on their role and the day-to-day requirements of their jobs.

Unauthorised access to the more sensitive data stored on the department’s systems could result in severe problems and even financial losses for the DED, and any breach of security would undergo major investigation, ultimately resulting in disciplinary action for those members of staff involved.

“Employees need to understand that by protecting information they are protecting themselves. If an employee leaves their password somewhere where it can be read by others, then anyone could gain access to areas of the business that they are not authorised for and make fraudulent transactions — this could have serious repercussions for the employee whose account was used, even if it was not actually their fault,” Ibrahim explains.

Although the department had not been experiencing any major security issues as a result of employee negligence, the growing complexity of information security as the department expanded was putting proprietary information assets at increasingly greater risk on a daily basis. The organisation realised it was important to educate the workforce to understand information security issues and behave in a manner that would minimise risks.

Extensive use of the internet and web-based programmes for sharing information within and outside an organisation often compromises the security of critical data and information. “In order to ensure that employees use new technological tools with greater discretion, the DED has decided to implement this corporate security awareness programme across all levels of employee at the department. The move will prevent future problems as opposed to tackling ones that we were already having,” says Ibrahim. ||**|||~|Ibrahim-Body.jpg|~|Ibrahim: By educating the DED’s employees about the importance of information security we will prevent internal threats in the long term.|~|The Symantec Security Awareness Programme (SSAP) is a comprehensive, measurable training and communications programme, which gives employees the knowledge they need to better protect critical corporate information and other assets.

To effectively promote long-lasting results, the programme contains multiple security topics and is modified to suit all levels of security understanding. The course syllabus includes narrative scenarios and testing to reinforce knowledge retention.

The programme covers issues of information protection, social engineering, remote worker security, virus protection and password security, as well as addressing the issues of web browser, e-mail and instant messaging security. Finally, the programme covers elements of secure telephone and mobile use to give a comprehensive level of understanding to non-technical employees.

The DED employees can log onto the programme directly from their computers via an interface, accessing tutorials on specific security topics based on international standards and industry best practices. “The programme is user friendly and uses attention-grabbing screen savers, ready-to-print posters, pamphlets and reference cards to promote learning and make the programme attractive to users,” says Ibrahim.

The interactive programme includes robust user administration and data management. Managers monitor how long individual employees are spending on the programme, allowing them to assess their progress and determine when extra training may be required. “Although we have only installed the software, we are keen that the staff start making the most of it right away. We do not want to put any undue pressure on our staff, however, neither do we want to see anyone falling behind.”

Ertiqaa Consultants, which concentrates on the industry best practices and security standards, managed the project. The software installation was straightforward. It was a matter of installing the software centrally and assigning all staff a user name and password.

The DED’s inhouse IT team customised the software package, making it available to the staff in both Arabic and English languages, as well as including specially-tailored questions designed by section heads to cater to the specific security issues and areas of concern for each of the departments.

“Since we have included job-specific questions, the employees can see the real-life applications of the programme. This helps the staff get to grips more easily with the topics, and they are able to see the relevance of the security advice to them personally,” Ibrahim continues.

The interactive environment allows for flexibility as employees can log on whenever it is convenient, and the DED reports the majority of employees have responded well to the new programme. While many are taking the time to work through the various levels and answer the questions posed at the end of each section to test their knowledge, some individuals are already making faster progress than others, and a few have not even logged into the system once since it went live.

According to Ibrahim, the DED is considering some creative ideas to boost employee participation: “We are still letting the staff get to grips with the programme at their own speed, but if we find that they need more motivation to complete the course we might introduce some incentives such as inter-departmental competitions and prizes.”

While the government body may be the first public entity to introduce this type of employee education scheme, it is likely that others will soon follow its example.

Ibrahim describes the DED’s deployment as something of a pilot scheme: “This is important education for this increasingly electronic era and I am sure the idea will prove popular throughout other government departments further down the line. Internal security threats are unnecessary and easily avoided, and prevention is always better than a cure.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code