From my internal blog at work..

[dangerpudding]

How can we create a security aware culture within Kiva?In my nightmares, we've had a major security incident: A Kiva password that was susceptible to a dictionary attack and belonged to a staff member with admin access was cracked. A software bug that allowed an attacker access to data we didn't intend for public consumption. A stolen laptop was

Comments

[allanh]

Start with the simple stuff, like getting people to be aware that writing passwords on sticky notes in drawers and under keyboards is NOT a good thing.

If you have a good artist on staff, maybe some WWII-reminiscent propaganda posters: "Passwords On Post-Its Is GIVING DATA TO THE ENEMY!"

Follow this up with the basics of PCI security, at least as far as being aware of where credit card information is entered and stored, including on interim media such as (again!) post-it notes or screen shots or browser caches.

There could also be basic instructions on being aware of malware, including not clicking on links in strange emails.

Is there a web filter already in place to prevent drive-by attacks?

[dangerpudding]

This is after 18 months of getting the basics under control - we've implemented an enterprise-wide password vault, cleaned up the nightmare of passwords everywhere, I've sat down with *every single person* in small groups and walked them through the (rewritten by me) security policy with lots of information about why and how.

It's mostly working well. They catch phishing attempts, I haven't found a password on a post-it in months, they come tell me when they find the formerly-standard "generic password" somewhere.

My security training plan for next year is via a neat startup that's happy to use us as one of their testbeds (literally running all of their content by us for review and comment, at this point) for their gamified-training tool - apozy.com

I just want to keep making it better, and do so culturally rather then with more policy and procedure. :)