You can't configure your way to systems security. Passwords are a perfect case in point. Windows has five separate policy settings designed to force users to select hard-to-guess passwords—and a determined user can overcome every one of them if he or she is hell-bent on having a weak password. Similarly, firewalls, intrusion prevention systems, and vulnerability scanners won't compensate for negligence on the part of users or administrators. That's why a security awareness program is a crucial component in any organization's information security strategy. Even small businesses need to give attention to security awareness. Without a solid program in place, your legal liability increases, and your legal recourse against dishonest employees is weakened. But aside from legal matters, without a security awareness program, you face greater risk in general, and the return on your security-related investments is diluted. Let's look at the major elements of a security awareness program, and I'll offer suggestions for running one successfully.

Management Support
Following sound security procedures isn't the most fun your users will have during the business day. In fact, security often seems to create inconvenience, whether you need to devise a strong password or wait for a virus scan to complete. Here are some ways to send the message to users that following company security policies is crucial.

Set the example. If users don't perceive security policies as having the full backing of management, they won't have an incentive to cooperate. Managers need to set an example by following security policies. In organizations where key executives refuse to change their password in accordance with company policy, it's going to be tough to build a security-aware user base.

Take an active, visible role. At information security meetings, managers should be present and facilitate part of the meeting. At the very least, a manager should begin and end the meeting.

Stand by your man (and woman). It's crucial to back up employees who have responsibility for enforcing security policy when they run into resistant and uncooperative users or departments. If individual users or departments must be excepted from following the rules, pay particular attention to how you communicate the exceptions so that your information security staff doesn't look toothless.

Policy
Companies without information security and acceptable-IT-use policies are asking for lawsuits. They're also giving up a certain amount of legal recourse against problem employees. Make sure all users understand and sign a written information security policy that spells out behavior that is and isn't acceptable and lists user responsibilities. Review the policy regularly to adjust for new technologies (i.e., instant messaging) and legislative and business changes. Here are more ways to make certain your information security policy is taken seriously.

Be positive. Look for ways to be positive about the benefits of security and reward employees who comply with policy. For example, make an afterhours sweep of a department and put a box of candy or a gift certificate on each desk that is clear of confidential or sensitive papers. When performing password audits, reward the user who has the strongest password.

Measure. Management loves numbers, and numbers give you a way to measure your progress as an organization. How can you measure security—particularly where users are concerned? One way is to perform a quarterly password audit and record how many accounts were cracked with a simple word dictionary. Give individual feedback and offer password-related security training. Then, compare the results of next quarter's password audit with this quarter's audit. To find out whether users are complying with security policies, conduct anonymous surveys.

Train. Conduct quarterly or more frequent security seminars. Provide users with training on methods for selecting and remembering hard-toguess passwords; teach them how to recognize phishing attempts and social engineering tactics and avoid spyware.

Vary it up. Use multiple methods to keep security on the minds of your users. Companies such as Security Awareness Incorporated (http://www .securityawareness.com) provide awareness posters, pens, toys, and training materials. Hold security awareness seminars or arrange for department managers to talk about information security at department staff meetings several times a year.

Be sensible. Work hard to identify and eliminate or improve shortsighted, impractical policies or procedures. Coordinate administrators so that password-change cycles and policies are aligned across systems and departments. Look for ways to make it easier for users to comply with security policies and remain securityaware. In short, to get users to do their part with security, do yours.

Get Creative
Encouraging users to think and care about security is possible and important. Use your imagination and look for ways to promote information security as something positive. Get out of your cubicle and interact. Keep numbers: Management will be more supportive if you can quantify your company's current state of security awareness and demonstrate the measurable progress you're making to improve it.