It is certainly a truism to say that an organisation’s weakest point is its own employees. It could be argued that because this has been said many times by many people, because it offers no new insight then it is of little value to state it again. Such is the nature of a truism.
However, the situation where the first line of defence is also your Achilles Heel is one so unique and so important that it deserves constant attention, not cynical acceptance.
There is much that enterprises, both large and small, should be doing to mitigate the risk posed by well-intentioned employees who are simply trying “to get the job done”. Equally, employers also have a duty to keep abreast of developments both technological and criminal, in order to provide effective training.
Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to make sure their users are educated to use the Internet and corporate resources from a position of awareness and caution rather than blind trust in a technological solution. Employees should be aware of how invisibly compromise can occur and where to go if they are concerned.
Equally, people need to be made aware of the real monetary value of their own and other people’s personal information and to treat it with the care it deserves, rather than offering it to any curious onlooker through social and professional networking, blogging, telephone calls, bogus surveys and more.
Currently most corporate information security training initiatives are only visible to a new employee. As a new hire, you are handed all the relevant policies to digest and to sign. The problem is that this is often a one-time event, three months or three years down the line, not only are employees expected to remember the practical application of the policy, but also the lack of revisiting the policy assumes that the threat or technological environment itself has not evolved.
Education, particularly in the realm of information security, should be a process, not an event. Ideally, it should also be fun and engaging, making sure that security is always at the forefront of the enterprise mind-set, whether in work or outside. Good information security practices should extend beyond the perimeter of the workplace, as actions at home, particularly in the age of BYOD and Consumerisation, can have serious repercussions at work.
Information Security training can be a difficult subject to bring to life for a disinterested audience; many important lessons can be learned from the marketing, creative and web content parts of your business. Security training is not an initiative for just the security team; it is one where multiple areas of expertise must work together for real success.
The concept of gamification, or the use of game design techniques to enhance non-games, is one that can be successfully applied in the area of security training. Divide your workforce into functional or geographic teams; deliver the same training to the workforce on a staged basis, prolonging the initiative through time. Devise league tables to bring out the competitive side of your employees, and challenge them with a series of unexpected tests; mystery callers trying out social engineering techniques, attempts to establish friendships on social networks, phishing email campaigns designed to ensnare the unwary for example. If your workforce has been forewarned that there is an on-going practical element to the training, and that their security radar will be constantly tested, it will only serve to heighten their general security awareness. Achievements and awards can be earned on an on-going basis and the motivation can be built to keep security at the top of your list when going about your everyday business.
It’s not about punishing or otherwise those individuals or teams with the lowest scores; it’s about creating a culture of security where every employee is more aware of the consequences of their actions, even when those actions seem entirely innocuous at the time.
Information security is not a destination, it’s a journey.
During the month of October, we’re supporting the National Cyber Security Alliance in celebration of Cyber Security Month – an effort that aims to educate organizations and individuals about how to stay safe online. Check out the helpful videos, infographics, blog posts and reports we’ve gathered for you here.