As a part of security awareness month, I have mentioned that we really need to focus any preventative mention awareness on laptop theft. As a part of that, I have been working on some interesting research around this threat. There is a ton of information out there on laptop theft. This wikipedia article has a lot of good information. It is a great place to start if you want to build some quick materials. I love the cost estimate of $89,000 on average per lost laptop. This aggregates the work it takes to recover from the loss, the hardware cost, the aggregate average of fines and regulatory losses, etc. That number is a real eye opener for many people who tend to only think about the hardware replacement costs, which is especially true for end users. Also, in my experience, we have timed some of our security engineer ninjas on how long it takes to break a car window, snatch a laptop and bolt. One of our quickest ninjas takes under 12 seconds to get 100′ from the vehicle. Even rounded up to an even 20 seconds, that is not very likely to matter. Timing how long it takes people to go into a convenience store to pay for gas or grab a soda is almost always in the 3-5 minute range. That’s a lot of time for 20 second intervals to occur.

Just something for you to give end users to think about…

Here are three quick ideas about how to encourage your employees to be better “net cops”:

1. Make sure they know who to report suspicious behaviors to and never, ever punish anyone for doing so. Make sure you give them a place to drop anonymous notes too, if that is appropriate for your program. Teach them how to report suspicious emails, calls and information requests. Create an ongoing program reminding them about how to do so.

2. Incent them to report suspicious behaviors. Create an email forward box for spam, phishing and other types of suspicious email. Enter the first people to report each sample into a monthly or quarterly drawing for movie tickets or some small prize. Not only will you get people interested and get more insight into your security posture, you just might learn more quickly when a spam or trojan attack is under way.

3. Hold a security day where you have games and such that back up these ideas. Focus on teaching your people how to recognize social engineering and such and how to report it. Use the opportunity to remind them about the other ideas above. Have some swag made for them that talks about how each of them is a “security agent” or “on the front lines” “investigating threats against your customer’s data” or the like. Get marketing and HR involved to create something memorable.

What ideas do you think might get people focused on noticing when bad things are happening? How does your organization encourage your staff to be better detectives?

Security awareness. I know, I know… This is one of the worst parts of being an infosec person. We all seem to have problems with it. Not so much because the content creation is hard, but because effective content creation is nearly impossible.

For almost 20 years, we in the infosec business have been harping at you about awareness. The story often goes something along the lines of “If only we could teach the users to be more careful and attentive, then we protect them better.” The truth of the matter is though, that the average user either doesn’t care about information security (until it’s too late) or they simply don’t have enough technology skills to protect themselves in a meaningful way. But, and I promise you THIS – the answer is absolutely NOT another poster in the lunch room about not clicking on the dancing gnome or opening emails from people you don’t know…..

I think we are going about this in the wrong way. In fact, I believe that the only prevention focused message you should be sending to your staff on a repeated basis is about laptop theft. I think if you focus all of your prevention awareness on laptop theft, you might accomplish a little bit more, since laptop theft is a pretty personal crime. So, if you must print up some posters – make it about not leaving your laptop in the back of your car, or skip the posters all together!

What do I propose instead? What then will we do with all of that awareness budget???

I propose this. I suggest that you skip prevention awareness and instead focus your staff on being better “net cops”. Yep, you heard me, NET COPS. Why the heck would you do that, you might be saying? Well, the main reason is, according to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues and other anomalies versus automated systems like IDS and log monitoring. Plus, people already love to play net cop. Your customer service people love it, your sales people love it and face it, most infosec people love it too. There is a reason why there are so many crime shows on TV. Since people love the idea of being a net cop, let’s focus on teaching them, giving them incentives and helping them help us protect our data more effectively.

This month, as you may know, is security awareness month. As such, throughout the month, we, like other blogs and security companies will be talking a lot about awareness. BUT, on this blog and at MSI, we are going to talk more about teaching your users to be detectives. We think new focus on from “what not to do” to “help us patrol the network” just might work! We’ll never know, unless we try!

Give it some thought and as the month goes on, don’t be shy. Let us know what you think about the idea. Thanks for reading!