How do we inform our employees internally about IT and non-IT security threats and changes in our security policies so that they take note and comply, not tune out and ignore?
Humans are the weakest element in any security solution. Every security officer is faced with the challenge of implementing security solutions that take into consideration not only the technological threats but also the human factor.
The successful implementation of any security program — IT- or non-IT-related — requires changes in user behavior. The uphill battle of educating staff and changing behavior begins once the security program is in place. Security awareness is what we call a preventative access control. It is tied into security policies, incident response and disaster recovery.
Security awareness is an ongoing process
The successful implementation of any security program starts immediately after the hiring process. Security policies should be communicated to all new employees as part of their orientation package or welcome kit. They should all know what is expected of them while employed with the company. Penalties and actions should be clearly communicated and no exceptions allowed.
Security policies should be available any time at the click of a button, preferably via your intranet. A basic set of policies may also be made available on the Internet for outside, or client, access.
The security group should be just a phone call away. Make contact information obvious in your telephone directory and put stickers on phone sets and monitors. If a Computer Incident Response Team is present, its contact numbers should be posted as well. Users should be aware that they should call the relevant security body if they suspect any type of malicious activity.
Every employee in an organization, from the CEO down to the last employee, requires the same amount of security awareness, and every employee has a role and a responsibility. Make sure this is communicated clearly to all levels within the organization.
Tools of the trade
A successful security program is fresh, creative and updated frequently. Here are some tools that security officers, managers and business owners can use. Rotate them as frequently as you can:
- Create a security newsletter and circulate it within the company in both e-mail and print formats.
- Create a document with a few basic security policies and place it on every computer’s desktop.
- Implement an annual security awareness program. Choose three security topics for the year, for example passwords, keeping a clean desk and how to stop strangers from following you into the building. Post the top three security issues in common view. Remind users constantly what is expected of them.
- Reward those employees who report security incidents and raise awareness of such behaviour by putting the information in your newsletter.
- Walk the floor every month and leave a “well done” note when you see a clean office space. Show interest in promoting security and reward those who do the same.
- Attend and present at quarterly gatherings where many employees can be reached at the same time.
- Once a year, send out a security agreement to every employee. This should contain basic policies or the privacy principles. Have them agree to it and sign it. Local managers may keep the signed document for future reference.
- Hold lunch and learn sessions, post notices and give out mouse pads, magnets and stickers.
The goal of creating security awareness is to bring security to the forefront and make it a recognized entity for all users. Like any important initiative, it all starts with executive buy-in. When management agrees that security is a top priority, users have no choice but to comply.
Sam Kamoutsis CISM, CISSP, is president of PC SYSWARE Inc. (dba SECURE SMB), a consulting firm that specializes SMB security issues.
Contact the editor