Published on June 19, 2009 by Karen Letain in News
Rolling out a large Information Security Awareness Training Program can be an incredibly daunting task. Especially, if you have to ensure that your efforts are measurable in order to meet industry standards or adhere to legislation.
Let’s face it, you can’t measure the number of times employees look at the security awareness posters you just put up in the coffee room or in the elevator and how the heck do you measure the impact of a banner on the company intranet? Did it really change the outcomes and behaviors of the employees?
And what about that 1.5 hour live training session? Did anyone actually listen and has implemented the recommendations?
If your budget has been cut and you can’t afford an online training component with a back-end LMS to track and provide reporting functions then start small and try the following techniques:
1. After your live training sessions, walk around and measure the impact by talking to employees and asking questions.
2. At lunch, do “walk-by’s”. Check to see if employees are leaving their desks without adhering to the “clean desk” policy and have left their laptops unlocked, etc. If so, create some friendly reminder cards to place on their desks as reinforcement.
3. Pick a month a year and do a “security awareness month” combine short videos with games and posters that supplements your regular yearly ongoing training programs.
4. Provide incentives (if possible – even an apple, chocolate bar, etc) for those you catch doing the “right” thing when it comes to being security aware.
The key is to track all of these items. Start a spreadsheet and track the number of employees talked to per month, the number of incidents discovered in the walk-by’s and the number of employees caught doing something correctly. Create some nice monthly graphs with the data and provide them to management so they know you are on top of the security awareness issue.
Published on June 04, 2009 by Karen Letain in News
For anyone out there experimenting with Twitter, you are probably aware that with so few characters to use to tweet, you eventually need to look at using a Short URL service to direct your followers to what you want them to read or see.These Short URL services are great and guess what... they are free! This seems great until you start thinking about potential security risks. For companies with employees that are sneaking in a few tweets a day at work, those security issues could become a big problem.
Let's start by understanding that anyone following a Twitter account blindly, clicks on the Short URL without really knowing where they are being taken. In other words, they have no clue of where the destination page is actually going. Which means...an attacker can tweet that he is linking to a new picture of a rare white moose, but instead they are sending the user to a website hosting malicious content.
Organizations need to educate their employees not only on the policies and risks regarding using social media and the potential hazards of social engineering at work, but should also make them aware that they need to pay close attention when using social media sites at home.
Published on May 29, 2009 by Karen Letain in News
The business world is rapidly changing. The way we conduct business will continue to evolve. The younger workforce graduating will be accustomed to working on a contractual and evolving basis without having the regular work hours the past generation was used to or the loyalty to a company that past generations had.
Outsourcing and contract workers will become the norm as businesses adjust to the growing global demands of its clients and as new and changing skill sets are demanded and required to address their challenges.
These changes to our workforce mean an increased challenge to security awareness managers. Managers will need to be sure that this new and ever changing set of workers will be able to keep secure the intellectual property of the company. Security awareness training will not only need to become part of an organization’s orientation training practices but will become an essential requirement of those courses. Stringent adherence to corporate policies and testing on the knowledge of those policies will become increasingly more important for security managers.
