This article originally appeared in the October 2012 issue of INTERNET TELEPHONY
Unless IT security is a core element of someone's job, it’s not necessarily considered an ongoing development need. All too often employees get just an initial presentation from the IT department when they start, and are expected to remember it, keep up to speed with changes, and adhere to ever-changing IT security policies and procedures.
Without an ongoing systematic and proactive user awareness program, a strong security posture is in jeopardy. There is no cure for stupidity or genuine human error, but you can educate your workforce to help employees make the right decisions and avoid unnecessary mistakes.
You probably hand your employees a 20-page dossier and expect them to read and digest it. The problem is that most IT security policy and procedure manuals are written in a language to impress the regulators, lawyers and auditors who will be checking its existence.
The average employee doesn’t stand a chance.
Even if your document is rewritten in plain English and everyone has been given a copy, however, that’s probably inadequate. Staff members need multisensory input if they’re going to fully appreciate relevant policies and procedures and understand exactly what their responsibilities are. If you expect them to play their part in protecting the organization, don’t they deserve to be shown how to do it?
Online videos and interactive training that can be viewed at their convenience do the job very well.
Consider, also, that an employee's ability to take appropriate actions if and when a security incident arises is paramount. Think about your team – if anyone in your organization were to discover a breach, would they know what to do? If it were something they’d done that had caused the problem, would they put their hand up and come clean or try to cover it up?
Making sure employees understand the risks of leaving any security breach unreported and are not scared of reporting potential issues is of the utmost importance.
If you’re serious about creating awareness amongst your workforce to the security risks that organisations face, here’s a seven-point action plan:
Action 1: Rewrite your IT security policies and procedures. Use a language that will actually be understood, and not just impress an auditor. Spell out the risks the organization faces for non-compliance.
Action 2: Consider changing the way you introduce security as part of the induction process. Smaller, more manageable documents are easier not only for the recipient to grasp, but also for the organization to review and update. In addition, by drip feeding the information, people are more likely to find time to read it and build a deeper awareness of security issues while reinforcing elementary security fundamentals.
Action 3: As previously mentioned, review and update processes regularly and that includes regularly reminding your colleagues. Just because John in accounts had a security briefing when he joined the company 10 years ago doesn’t mean he knows what the risks are today. Educate staff members, regularly, to make sure they still understand what’s expected of them and especially when things change.
Action 4: Consider using an automated system to deliver policies and associated documentation directly to employees at their workstations. This makes the whole process manageable for you both.
Action 5: Introduce testing, either for all or a proportion of users. This will help to identify where policies aren’t understood so they can be rewritten to make sure everyone knows what they are doing and, as importantly, why. You’ll also be able to identify weaknesses and therefore focus training energies to the necessary areas.
Action 6: Get your employees to sign up to key policies so you know that they’re onboard. As part of the process, include the consequences if they break the rules. That said, make sure that they understand that genuine errors are expected and should be reported, not ignored or covered up.
Action 7: Take action against offenders. If people see policies being enforced consistently at all levels within an organization, and where appropriate disciplinary action is taken against those who wilfully neglect corporate rules, people are more likely to take notice of security information. When employees realize the circumstances and the consequences of security policy violations for them as well as for the organization, it nudges them to choose the right course of action, and perhaps be more prepared to encourage others to conform to standards of behavior within the acceptable governance framework.
At the end of the day, you’re all in this together, and every single person in your organization needs to understand the part they play in defending your organization and keeping it secure.
Edited by Braden Becker