How to Create Security Awareness at Your Company

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://finance.yahoo.com/news/create-security-awareness-company-154500172.html

Imagine this fantasy: At your company, sensitive customer data is
impenetrable. Hardware is secure. And every single IT specialist in your
employ has the resources and funds to make all of this happen.

But, no, it's time to pinch yourself and wake up. The reality is that no
matter how secure the nonhuman end of things is, the mere existence of
people using a system will always mean the potential for data breaches.

Should we throw in the towel? Of course not. If we did, cyber criminals
would practically rule the world.

Instead, we should focus on increasing security awareness in the workplace,
from the ground up and from the top down: We should teach workers how to
handle data to minimize the potential of its falling into the wrong hands.
A couple of strategies:

Tell employees that a data breach could mean the loss of their job. This
will give them incentive to become more security aware.
Impress on employees the warning signs of a cyber attack so that they can
more easily spot suspicious activities.
Every employee, old and new, should be thoroughly instructed on security at
the level of the individual computer. And new employees, before they
officially begin work, should complete this training before accessing the
company’s network.
Install technology that will detect when employees are doing something they
shouldn’t. The software will alert them in time to take corrective action
as well as enhance their learning experience.
Set up mock "phishing" emails to see who takes the bait. “Internal
phishing” will teach employees how to be smarter and less gullible.

So, what are some ways to maximize security awareness? Here are eight.

1. Establish a baseline.

Before you can get awareness efforts going, you must first collect all the
metrics to establish a solid reference point. An example might be the
results of the staged phishing. Metrics are important, as they will enable
you to gauge the success of effort.

2. Be realistic.

Don’t think in terms of banning a certain activity, like involvement with
social media, but rather of teaching employees to be judicious about it.

3. Use lots of tools.

A program for security awareness should involve multiple venues such as
video games, newsletters, mock phishing and whatever else comes to mind.

4. Be creative.

Even if funds are scarce, you can still make the learning process more fun
than drudgery. For example, give boxes of candy canes out for the holidays,
but tucked inside each box enclose the company’s security policy. Employees
will more likely read the policy if it comes with candy canes than if it’s
simply mailed, or handed to them in the office by the boss.

5. Seek high-ranking executive support.

Once the “bigwigs” get involved, employees lower on the chain will more
likely follow suit. How can we get “C-level” decision makers on board in
the first place? Tell them that return on investment is contingent upon
security. That will get them hopping. Another way to grab their attention
is to send out newsletters specifically for them, which will add to their
feeling privileged. In the newsletters, include information on security
awareness.

6. Recruit other departments.

No department is too unimportant to be involved in security awareness. Get
every department involved, even your housekeeping and cafeteria staffs. But
especially go after your marketing, legal and human resources departments,
because they’re in a position to make security awareness a requirement.

7. Re-evaluate.

Re-evaluate your new program every 90 days, without fail. This approach has
been shown to be quite effective. To avoid information overload, emphasize
maybe three topics at a time over the three-month period. Then, 90 days
later, see what needs to be revised, based on those three topics.

8. Hit close to home.

Get employees to focus on themselves; don’t harp just on security awareness
that affects the company. Make workers understand that security is about
them, too, not only the elusive bigwigs. Talk to them about the most common
scams and tricks cyber criminals use, and how to protect themselves at
home, with tools such as firewalls and wireless VPNs.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!