Four essential components of end-user firewall training
Policies of any kind are difficult to implement, but IT polices seem to be even more troublesome. Most employees have no idea what the IT department does or why. They don't understand that when you take their screensaver away, you have a very good reason for doing so (to avoid having to troubleshoot their PC later). Accordingly, new IT policies are rarely met with enthusiasm--they usually eliminate something employees enjoy using.
This is why end-user firewall policy training is critical. Users must understand why your organisation has a firewall and how important following the policy is. Here are four techniques you can use to train your end users on a new or existing firewall policy.
- 1. Have a written policy and user agreement
When an IT department establishes its firewall policy, it should work with the human resources department to draw up a contract for all employees to sign. In essence, tell employees they are being given Internet access, but they have to use it appropriately.
Then, before anyone gets an account on the firewall, they have to sign this document. Having a written contract serves a dual purpose. It is an introduction to the policy and helps protect the organisation if employees abuse their Internet access.
- 2. Personalise the need for security
Unfortunately, just signing the agreement isn't enough. Employees must understand the importance of surfing the Net with their life jackets on.
To help get that message across, give employees specific examples of how inappropriate use of the Internet can hurt their job performance. For example, a breach in security could corrupt or destroy a spreadsheet that took all day to create.
By bringing it to a level that personally affects them and their hard work, employees are more likely to follow security procedures. The occasional virus that does infect your network is also a good wake-up call.
If your company is hit by a virus, try to use incident to stress the importance of security policies. Obviously, being hit once a month with a virus isn't a very productive way to remind your users about security, but you should take advantage of the opportunity if it presents itself.
- 3. Periodically reinforce safety procedures
The company's newsletter is also a good place to issue reminders about the importance of Internet and e-mail safety. These reminders could be placed in a small box that contains a safety tip users can utilise at work as well as at home.
Most employees take the time to read the company newsletter, and a written security tip might be just the thing to remind them about the importance of the security policy.
Occasionally send out a "tips and tricks" e-mail to users that includes software tips and shortcuts. Adding safety warnings and advice in these e-mails is another way to get the security message to the masses.
Messages such as "Don't share your password with anyone" or "Don't leave your Internet connection open when you leave your computer" remind users of important but easily forgotten safety precautions.
- 4. Stress management support
Of course, no firewall policy is effective without management support. It is management's responsibility to ensure their staff is working and not spending their days surfing online auctions (unless that is their job).
It's important to get management support right from the beginning of your firewall project. Let them know what you expect from them, and what information you will be providing to help them enforce the firewall policy.
Producing monthly or bimonthly firewall logs for department managers is a great way to help monitor employees' Internet usage. Remind management that there's only so much the IT department can do without their backing.
