Security awareness – Once is never enough

Dominic Saunders

Without an ongoing systematic and proactive user awareness programme, a strong security posture is in jeopardy. There is no cure for stupidity or genuine human error, but you can educate your workforce to help them make the right decisions and avoid unnecessary mistakes. What are you doing to make sure your workforce is security aware?

Unless IT Security is a core element of someone's job, it is not necessarily considered their on-going development needs. All too often employees get just an initial presentation from the IT department when they start and are expected to remember it, keep up to speed with changes and adhere to ever changing IT security policies and procedures.

Without an ongoing systematic and proactive user awareness programme, a strong security posture is in jeopardy. There is no cure for stupidity or genuine human error, but you can educate your workforce to help them make the right decisions and avoid unnecessary mistakes. What are you doing to make sure your workforce is security aware?

Drowning in a sea of paper

Firstly, consider how you currently tell your workforce about the security risks your organisation faces. Now think about how you’d feel on the receiving end?

While there may be one or two smug people reading this thinking the virtual quiz that’s administered when an employee joins is something to be proud of, I’d imagine the majority of you are hanging your heads in shame.

The truth is you probably hand your employees a 20 page dossier and expect them to read and digest it. The problem is that most IT security policy and procedure manuals are written in a language to impress the regulators, lawyers and auditors who will be checking its existence. The average employee doesn’t stand a chance.

Stumbling in the dark

So, you’re document is re-written in plain English and everyone has been given a copy. That’s that then, isn’t it? Actually, if you remember back to your school days, did you learn faster from reading a text book or practical experience? I’d wager it’s the later.

Staff need multi-sensory input if they’re going to fully appreciate relevant policies and procedures and understand exactly what their responsibilities are. If you expect them to play their part in protecting the organisation, don’t they deserve to be shown how to do it? Online videos and interactive training that can be viewed at their convenience do the job very well.

Afraid to ask for help

An employee's ability to take appropriate actions if, and when, a security incident arises is paramount. Think about your team – if anyone in your organisation were to discover a breach would they know what to do? If it were something they’d done that had caused the problem, would they put their hand up and come clean or try to cover it up?

Making sure employees understand the risks of leaving any security breach unreported and are not scared of reporting potential issues is of paramount importance.

Do as I say, not as I do

This is a common problem for far too many organisations – and it’s not just a security phenomenon. Orders from on-high dictating what employees ‘have to do’ are regularly ignored by management. If that’s happening in your organisation you need to stop it – today.

If you’re serious about creating awareness amongst your workforce to the security risks that organisations face, here’s a seven point action plan:

Action 1: Rewrite your IT security policies and procedures. Use a language that will actually be understood, and not just impress an auditor. Spell out the risks the organisation faces for non-compliance.

Action 2: Consider changing the way you introduce security as part of the induction process. Smaller, more manageable documents are easier not only for the recipient to grasp, but also for the organisation to review and update. In addition, by drip feeding the information, people are more likely to find time to read it and build a deeper awareness of security issues whilst reinforcing elementary security fundamentals.

Action 3: As previously mentioned, review and update processes regularly and that includes regularly reminding your colleagues. Just because John in accounts had a security briefing when he joined the company 10 years ago doesn’t mean he knows what the risks are today. Educate staff, regularly, to make sure they still understand what’s expected of them and especially when things change.

Action 4: Consider using an automated system to deliver policies and associated documentation directly to employees at their workstations. This makes the whole process manageable for you both.

Action 5: Introduce testing, either for all or a proportion of users. This will help to identify where policies aren’t understood so they can be rewritten to make sure everyone knows what they are doing and, as importantly, why. You’ll also be able to identify weaknesses and therefore focus training energies to the necessary areas.

Action 6: Get your employees to sign up to key policies so you know that they’re onboard. As part of the process, include the consequences if they break the rules. That said, make sure that they understand that genuine errors are expected and should be reported, not ignored or covered up.

Action 7: Take action against offenders. If people see policies being enforced consistently at all levels within an organisation, and where appropriate disciplinary action is taken against those who wilfully neglect corporate rules, people are more likely to take notice of security information. When employees realise the circumstances and the consequences of security policy violations for them as well as for the organisation, it nudges them to choose the right course of action, and perhaps be more prepared to encourage others to conform to standards of behaviour within the acceptable governance framework.

At the end of the day, you’re all in this together and every single person in you’re organisation needs to understand the part they play in defending your organisation and keeping it secure. Don’t just assume that because you’ve got written policies and procedures to follow that the people in your organisation are security aware.