By Dr. Guy Bunker @guybunker
No. 2 Train and educate employees
Education and awareness is probably the most cost effective security solution (but it is by no means a silver bullet – so you will need policy and technology as well!) Do not solely rely on CBT (computer based training) for security. This is known as a ‘check box’ exercise and an easy get out for security policies based on technology and threats that existed 5-10 years ago. So…
- Distribute a regular (quarterly) security bulletin – by email, or on notice boards. Don’t rely on people to click a link... post it on a web site, but ensure it is front and center in their inbox as well. As for what sort of things you could put in the bulletin... how about some of the following?
- Talk about specific cases in the media (there are plenty of them), what it meant for the company in question and what you currently do (or should do) to mitigate the risk. Often employees have great ideas for reducing security risks... you just need to ask. (And don’t shoot the messenger!)
- Explain the risks and consequences of a lax security posture. Why a lost laptop is a problem – not just to the individual, but to the organization. Why a wrongly addressed email can cause reputational damage.
- When looking to introduce new technology, ensure that there is discussion beforehand. Explain what risks are being mitigated, and how. Security is often thrust onto the workforce – creating more problems. Discussion and inclusion helps remove issues before they become problems.
- Make it personal. “Look after other people’s information, as you would like them to look after yours.” Find examples of bad behavior in news stories and contrast with good practices you have.
Don’t miss Monday’s final part of the three stages – Utilize a technology solution…