Lance Spitzner is the training director for SANS Securing the Human.
A common misconception, including among security professionals, is that if someone is technical, they must be secure. If someone knows how to code in Python, configure a Unix server, or maintain a network of routers, then they must be secure. Unfortunately, that is not the case. In fact, technical individuals often pose a greater risk to an organization than general users because of their privileged access. They develop the code that faces the Internet, the servers that maintain databases, or the routers that transfer information. Often these individuals not only require security awareness training but advanced security training designed specifically for their roles.
Consider this classic example: A network engineer is attempting to deploy a new router in his network, but the router simply will not accept the correct routes. As a result he turns to his trusted community of friends on a public network engineering mailing list. He explains his problem to this community, but also includes the configuration file from his router. One of his friends reviews the router configuration, quickly spots the problem, and posts an explanation on how to fix it. Sure enough, the fix works and the router quickly starts routing packets. The problem is that the entire network configuration is now publicly accessible, posted to a public mailing list. The network engineer focused on getting the network running, not taking security into consideration.
Often technical personnel with privileged access are a far greater risk than regular employees, as counterintuitive as that seems. Provide additional security training for technical roles as part of a security awareness program to avoid inadvertent lapses. You can find resources on building a high-impact awareness program at www.securingthehuman.org/resources.
© 2014 Lance Spitzner