Published on February 22, 2010 by Karen Letain in News
No matter how effective or strong the information security program may be it is only as effective as the most malicious or incompetent employee. There are numerous examples of businesses that have spent hundreds of thousands incorporating leading-edge technology, procedures, monitory systems, policies and comprehensive training programs, only to have one employee do something that compromised the systems, the data or some business process. While we cannot discount governance and technology, the obvious fact remains that information security must involve everyone in the company.
Everyone must know their part and understand the consequence of violating the policies the organization has put into place. What types of consequences does an organization put into place to ensure security awareness is taken seriously? This will depend upon the organization, its structure, HR regulations, etc. We have seen some organizations that have implemented a security awareness program as part of their new hire orientation training. To ensure that the new employee understands the security policies, badge access or computer access is not granted until they pass a test proving they have read and understood the information presented to them.
Consistent reinforcement of security procedures and policies needs to be done with existing staff as well. Yearly, ongoing training is a must, but how do you know if any of the information provided is being retained? You can encourage employees to do a yearly examination and it can be done anonymously. This would provide the organization with data to measure the effectiveness of the program and would also provide the employee with the necessary incentive to take the training. For more suggestions on security awareness program retention or incentive planning contact us! As always, your feedback or ideas are very welcome!
Published on June 19, 2009 by Karen Letain in News
Rolling out a large Information Security Awareness Training Program can be an incredibly daunting task. Especially, if you have to ensure that your efforts are measurable in order to meet industry standards or adhere to legislation.
Let’s face it, you can’t measure the number of times employees look at the security awareness posters you just put up in the coffee room or in the elevator and how the heck do you measure the impact of a banner on the company intranet? Did it really change the outcomes and behaviors of the employees?
And what about that 1.5 hour live training session? Did anyone actually listen and has implemented the recommendations?
If your budget has been cut and you can’t afford an online training component with a back-end LMS to track and provide reporting functions then start small and try the following techniques:
1. After your live training sessions, walk around and measure the impact by talking to employees and asking questions.
2. At lunch, do “walk-by’s”. Check to see if employees are leaving their desks without adhering to the “clean desk” policy and have left their laptops unlocked, etc. If so, create some friendly reminder cards to place on their desks as reinforcement.
3. Pick a month a year and do a “security awareness month” combine short videos with games and posters that supplements your regular yearly ongoing training programs.
4. Provide incentives (if possible – even an apple, chocolate bar, etc) for those you catch doing the “right” thing when it comes to being security aware.
The key is to track all of these items. Start a spreadsheet and track the number of employees talked to per month, the number of incidents discovered in the walk-by’s and the number of employees caught doing something correctly. Create some nice monthly graphs with the data and provide them to management so they know you are on top of the security awareness issue.
