- Blog
- February 2010
February 2010
Published on February 22, 2010 by Karen Letain in News
No matter how effective or strong the information security program may be it is only as effective as the most malicious or incompetent employee. There are numerous examples of businesses that have spent hundreds of thousands incorporating leading-edge technology, procedures, monitory systems, policies and comprehensive training programs, only to have one employee do something that compromised the systems, the data or some business process. While we cannot discount governance and technology, the obvious fact remains that information security must involve everyone in the company.
Everyone must know their part and understand the consequence of violating the policies the organization has put into place. What types of consequences does an organization put into place to ensure security awareness is taken seriously? This will depend upon the organization, its structure, HR regulations, etc. We have seen some organizations that have implemented a security awareness program as part of their new hire orientation training. To ensure that the new employee understands the security policies, badge access or computer access is not granted until they pass a test proving they have read and understood the information presented to them.
Consistent reinforcement of security procedures and policies needs to be done with existing staff as well. Yearly, ongoing training is a must, but how do you know if any of the information provided is being retained? You can encourage employees to do a yearly examination and it can be done anonymously. This would provide the organization with data to measure the effectiveness of the program and would also provide the employee with the necessary incentive to take the training. For more suggestions on security awareness program retention or incentive planning contact us! As always, your feedback or ideas are very welcome!
Published on February 15, 2010 by Karen Letain in Marketing and Communications, Planning
To win the gold...a corporate security awareness program aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences in case these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness program can be a huge headache - especially in a large enterprise.
How do you plan correctly when implementing a security awareness program? How do you determine what tools will be effective in your organization? And...how do you create a winning program that wins a gold in terms of making everyone aware?
A couple of simple rules:
1. Do the training yourself - ensure that you do your research. Understand how employees use the syetms and for hat purposes, who has access to what and why? Understand the dynamics of your organization. Be well versed on the policies, goals and initiatives within your organization that might impact the program.
2. Get executive buy-in - without the right buy-in you will not succeed...period.
3. Create a focus group - get individuals from each department involved in the process so they can help you to build the right messaging and communicate effectively to the different groups within the organization.
4. Communicate, communicate, communicate again - use different techniques to get the message across. Be succinct and clear in all communications used and ensure that a regular frequency is maintained throughout the year.
5. Above all...make it FUN! In general, people are frightened about security breaches and risks. Try to remove the scary aspect by getting them involved.
6. Lead by example. Act swiftly and communicate rapidly if a security incident occurs. Ensure you are adhering to the policies within the organization and take every opportunity to communicate and reinforce the awareness message.
We would welcome your input into this conversation. Let us know what methods you have used to get that additional "edge" to create a wining program.
Published on February 08, 2010 by Karen Letain in News
Many of the organization's we talk to regarding security awareness training tell us that they are in the process of or thinking about creating an in-house elearning solution. This always amazes me. Why in the world would you create something from scratch? Unless, of course, you have a bunch of learning and security professionals hanging around your company doing nothing with their time.
So, when does it make sense to develop internally? My answer (albeit not an expert opinion) is only when the subject matter is so highly specialized that nothing exists that adequately addresses the need. In the case of security awareness there is an incredible amount of developed content already available that can be customized to suit an organization's requirements. It may not be ours, but the point is, you will be saving money in the long run. For us, one‐hour elearning with animation, audio, and translation into two languages, has an approximate associated timeline of 18 weeks. What is your estimate?
