Security Awareness Training at Akamai

At Akamai, security awareness and training is an ongoing process that begins on day 1 for most employees. What follows is a summary of the program, followed by one employee's personal training experiences.

Security Awareness Training at Akamai

Purpose:

In addition to traditional education efforts, Akamai recognizes that discussion and prioritization of security information enhances security awareness.

Scope:

This policy applies to all Akamai personnel. 

Policy:

Employees receive general security training within their first month and annually thereafter. During first-day orientation, new hires receive a 40-minute overview of Akamai's security procedures, delivered live by members of Akamai InfoSec.

Roles and Responsibilities:

All employees must annually acknowledge receipt of the Akamai Information Security Program and availability of refresher training. Refresher training is primarily available in the form of video presentation and documentation. The Information Security group tracks employee acknowledgements and ensures Akamai’s employee acknowledgement rate is in excess of 96% at all times. 

Product Management ensures that security requirements are discussed as a key component of every major product release, and that cardholder and other sensitive data is secured in all solutions in accordance with relevant security standards.

Executive Management routinely reviews multiple aspects of Akamai's security posture including:

  • Progress made in identifying and remediating security risks and vulnerabilities; 
  • Opportunities for company-wide communication to reinforce security practices and awareness; and 
  • Other aspects of Akamai's continuing corporate security and presence in the network security industry. 

Case Study:

What follows is Akamai employee Bill Brenner's first-person account of what it's like to partake in Akamai's security training. As a Senior Program Manager, Brenner is tasked with telling Akamai's security story through articles, podcasts, video, blogging and other media.

Though I've written about InfoSec for the past decade, I've still had my moments of shame. There was the time last year when I fell for one of the oldest social engineering tricks in the book, clicking the link on a direct Twitter message where someone I worked with asked if I'd seen the nasty post someone wrote about me. The co-worker's Twitter account had been hijacked and similar messages were sent to his contacts. The second I clicked the link, I knew I had just done something that could compromise my account and my machines.

It was a similar story a few years back when I clicked the link to a sci-fi site I received by email from someone masquerading as an old friend. Five-hundred pieces of malware downloaded onto my laptop that day, mainly the stuff that makes adware for pornography and pump-and-dump stock scams pop up all over the screen. I spent several hours cleaning up the mess, and the folks at the office had a good long laugh at my expense. 

In both cases, I hadn't had security training at the companies that employed me, though as a writer of security stories I should have known better. In terms of company security awareness, we received security warnings when an attack was making the rounds, but never a lesson on basic best practices.

On my first day at Akamai, nearly an hour of orientation was dedicated to the subject. I had written about the importance of security training for employees many times over the years, but this was the first time I received it.

Security training in the business world isn't something you can do with a one-size-fits-all mindset. Different companies have different needs, and Akamai is no exception. We dealt with specifics I won't discuss here. But a lot of the directions were pretty basic and applicable in any company and industry. 

For example: 

We are told it's fine to use the IM app of our choice to communicate with friends and family. But for any internal, work-related communications, we must use a separate, specific IM tool one that has added protections around it. 

We have a routine schedule of pushing out security patches for various programs, and we will occasionally see a box appear on screen asking us to press a button to install new updates. In the training session, it's made clear that we have to pay attention and heed the call to update when called upon. We are also told to make sure we are updating from an authoritative source. Popups on a screen can be dangerous, after all.

If we leave our computer unattended, we should lock the screen so that others cannot access our data or applications. On my second day, I walked away with several applications running on my machine, and returned to find a sticky note on the monitor that said, "Screen savers FTW."

Speaking of sticky notes, another directive we get is to never leave around notes with our passwords or other authorization data written on them.

If we see someone without a badge trying to enter the building, or other secured area, we are responsible for ensuring that they are properly identified by ourselves, our corporate security group, or any one of our authentication tools (including coworkers, employee directories, etc.). 

There are many more details that go into our program, but those are good examples of the basics items other companies would benefit from adopting.