ITBusiness.ca

Keeping employees in the loop

How do we inform our employees internally about IT and non-IT security threats and changes in our security policies so that they take note and comply, not tune out and ignore?

Humans are the weakest element in any security solution. Every security officer is faced with the challenge of implementing security solutions that take into consideration not only the technological threats but also the human factor.

The successful implementation of any security program — IT- or non-IT-related — requires changes in user behavior. The uphill battle of educating staff and changing behavior begins once the security program is in place. Security awareness is what we call a preventative access control. It is tied into security policies, incident response and disaster recovery.

Security awareness is an ongoing process
The successful implementation of any security program starts immediately after the hiring process. Security policies should be communicated to all new employees as part of their orientation package or welcome kit. They should all know what is expected of them while employed with the company. Penalties and actions should be clearly communicated and no exceptions allowed.

Security policies should be available any time at the click of a button, preferably via your intranet. A basic set of policies may also be made available on the Internet for outside, or client, access.

The security group should be just a phone call away. Make contact information obvious in your telephone directory and put stickers on phone sets and monitors. If a Computer Incident Response Team is present, its contact numbers should be posted as well. Users should be aware that they should call the relevant security body if they suspect any type of malicious activity.

Every employee in an organization, from the CEO down to the last employee, requires the same amount of security awareness, and every employee has a role and a responsibility. Make sure this is communicated clearly to all levels within the organization.

Tools of the trade
A successful security program is fresh, creative and updated frequently. Here are some tools that security officers, managers and business owners can use. Rotate them as frequently as you can:

Choose any means that reach the maximum number of employees with a minimum amount of effort.

The goal of creating security awareness is to bring security to the forefront and make it a recognized entity for all users. Like any important initiative, it all starts with executive buy-in. When management agrees that security is a top priority, users have no choice but to comply.

Sam Kamoutsis CISM, CISSP, is president of PC SYSWARE Inc. (dba SECURE SMB), a consulting firm that specializes SMB security issues.

SMB Extra Home

Contact the editor

Exit mobile version