- Blog
- awareness
awareness
Published on February 15, 2010 by Karen Letain in Marketing and Communications, Planning
To win the gold...a corporate security awareness program aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences in case these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness program can be a huge headache - especially in a large enterprise.
How do you plan correctly when implementing a security awareness program? How do you determine what tools will be effective in your organization? And...how do you create a winning program that wins a gold in terms of making everyone aware?
A couple of simple rules:
1. Do the training yourself - ensure that you do your research. Understand how employees use the syetms and for hat purposes, who has access to what and why? Understand the dynamics of your organization. Be well versed on the policies, goals and initiatives within your organization that might impact the program.
2. Get executive buy-in - without the right buy-in you will not succeed...period.
3. Create a focus group - get individuals from each department involved in the process so they can help you to build the right messaging and communicate effectively to the different groups within the organization.
4. Communicate, communicate, communicate again - use different techniques to get the message across. Be succinct and clear in all communications used and ensure that a regular frequency is maintained throughout the year.
5. Above all...make it FUN! In general, people are frightened about security breaches and risks. Try to remove the scary aspect by getting them involved.
6. Lead by example. Act swiftly and communicate rapidly if a security incident occurs. Ensure you are adhering to the policies within the organization and take every opportunity to communicate and reinforce the awareness message.
We would welcome your input into this conversation. Let us know what methods you have used to get that additional "edge" to create a wining program.
Published on December 20, 2009 by Karen Letain in News, Other
http://www.forbes.com/2009/12/10/adobe-hackers-microsoft-technology-cio-network-software.html
Forbes recently compiled a list of the seven Most-Hacked software titles for 2009. They took a survey of security professionals from various companies including Verisign, TippingPoint, iDefense and Qualys. Based on this survey, Forbes found that the following were the most hacked software titles from 2009.
- Adobe Reader
- Internet Explorer
- Mozilla Firefox
- Adobe Flash
- Apple Quicktime
- Microsoft Office
- Microsoft Windows
Even though Adobe has become a major focus for hackers, old targets such as Explorer and Firefox are still far from secure. Researchers also note that hackers are turning awary from bugs in operating systems to focus on applications. Partly because operating systems are more securely coded and are systematically patched more frequently than applications that run on them. Application patches are not implemented as frequently by users even after they are issued by a vendor.
For the new year, make sure you keep on top of your ptaches and make sure you are especially dilligent with patches released by your application vendors.
Have a safe and prosperous new year! Our best wishes to all of our clients and followers for the new year.
Published on December 14, 2009 by Karen Letain in Planning, Reinforcement Tools
I purchased a new pair of runners for my 7 year old and these had laces. I had taught him to tie his shoes in Kindergarten but with most of the shoes and boots having velcro, I did not realize that the lesson taught in Kindergarten did not stick. I was both shocked and dismayed to realize that my Grade 2 child did not know how to tie his shoes! As a parent I also had that wonderful "guilt" feeling that goes along with realizing that I probably didn't do a very good job initially as I was in a rush (as always) and should have probably spent more time having him practice so that he retained the knowledge. I also should have bought him more shoes with laces!
So...how does this relate to security awareness? Like any type of training or learning, if a person does not practice what has been learned it does not get retained. Security awareness is even more difficult since we are ultimately trying to change behavior. Individuals are already set in their ways of performing various job tasks throughout the day. Security awareness is about changing the way in which those tasks are performed. Teaching a security awareness class once a year and providing no other reinforcement or communication on the subject will not sufficiently change behavior of your end users.
Not putting aside enough time as an educator to ensure that your security awareness program is planned and supported properly will lead to additional stress, guilt and ultimately to the failure of the awareness program.
So...what do we do? We must ensure that awareness is done in small bite sized amounts that are easily digestible and then follow up with reinforcement tools or methods - ie., posters, newsletters, video clips, spot checks or walkabout reminders that catch people doing what was taught correctly or not correctly. Providing continuous training throughout the year will aid in retention. Providing rewards and or encouragement for the training being accomplished and for a change in behavior will provide you with a better and more widely accepted security awareness program.
Published on September 12, 2009 by Karen Letain in News
Maximizing what little security budget is left isn't easy but it is possible. Despite the recession, businesses are still investing in security. But, what if your company isn't? There are ways to maximize the security budget you do have and actually increase your security posture. A simple approach can be extremely effective. Here are some recommendations:
1. Review existing security tools and augment with open source
Supplementing your existing IT Security infrastructure can be done via a myriad of open source tools that are extremely affordable. Review the tools you do have and supplement with open source or look at tweaking your current one's by contacting the vendor and seeing if there are any tweaks or scripts that can be written for a small professional services fee.
2. Keep training your staff
ALL employees need constant training. Review your existing training strategies and increase sessions or add free training tools and resources to your existing repetoire to "freshen" the content. Their are a "ton" of free resources out there. Microsoft has a great free security awareness tool kit you can use that contains all types of slogans, newsletter templates, etc...http://technet.microsoft.com/en-us/security/cc165442.aspx
3. Increase security awareness
If your staff are trained and aware of potential risks and threats your ability to avoid security breaches is increased exponentially. Regular training, education and continuous communication and marketing techniques,can condition employees to be paranoid of e-mail attachments and URLs sent by strangers, or to be more cognizant of any potential inside employee issues.
Published on June 19, 2009 by Karen Letain in News
Rolling out a large Information Security Awareness Training Program can be an incredibly daunting task. Especially, if you have to ensure that your efforts are measurable in order to meet industry standards or adhere to legislation.
Let’s face it, you can’t measure the number of times employees look at the security awareness posters you just put up in the coffee room or in the elevator and how the heck do you measure the impact of a banner on the company intranet? Did it really change the outcomes and behaviors of the employees?
And what about that 1.5 hour live training session? Did anyone actually listen and has implemented the recommendations?
If your budget has been cut and you can’t afford an online training component with a back-end LMS to track and provide reporting functions then start small and try the following techniques:
1. After your live training sessions, walk around and measure the impact by talking to employees and asking questions.
2. At lunch, do “walk-by’s”. Check to see if employees are leaving their desks without adhering to the “clean desk” policy and have left their laptops unlocked, etc. If so, create some friendly reminder cards to place on their desks as reinforcement.
3. Pick a month a year and do a “security awareness month” combine short videos with games and posters that supplements your regular yearly ongoing training programs.
4. Provide incentives (if possible – even an apple, chocolate bar, etc) for those you catch doing the “right” thing when it comes to being security aware.
The key is to track all of these items. Start a spreadsheet and track the number of employees talked to per month, the number of incidents discovered in the walk-by’s and the number of employees caught doing something correctly. Create some nice monthly graphs with the data and provide them to management so they know you are on top of the security awareness issue.
