Play big brother
Nobody wants to play the villain by monitoring every action that a user performs. However, the sad reality is that much of the security breach is caused by staff members, either inadvertently or intentionally.
Incidents of both types come in different forms:
• Theft of credit cards or other financial information by unethical employees.
• Opening infected attachments from unknown or unreliable senders.
• Forgetting to disconnect from workstations at the end of the day.
• Disclose passwords to colleagues, family, or friends.
• Installation of unauthorized software on workstation PCs.
Act first, think about it later
It's one thing to promote a corporate culture that considers safety as a core value, but it's another thing to do it by sacrificing real investments in security technologies. Gartner recommends that companies: before even thinking about implementing a safety awareness program,:
• Solidify and strengthen all enterprise security systems and technologies.
• Establish formal practices and support for workers using these systems.
• Invest in safety awareness only when the two previous steps are complete.
Plan of action
A successful safety awareness program requires all employees to assume equal responsibility for the safety of the company's assets. Keep in mind, however, that this awareness alone can never replace comprehensive security strategies.
1.Set your expectations for users. Raising awareness, it's ultimately changing people's behavior. In addition to existing acceptable technology usage and non-disclosure policies, contact HR to make employee information security responsibilities a condition of employment (of course, on a case-by-case basis) . As well:
-Give accurate descriptions of what actually constitutes a security incident.
– Establish concise instructions for reporting security breaches, events, or incidents.
– Hold basic lunch and learn security sessions for staff members.
– Make sure to clearly display all documents related to security on the company intranet.
2. Make employees the centerpiece of attention. Emphasize partnerships and people, not technology or maintaining order. Strengthen their power by stating their critical role in information security. For example, avoid statements that say "Do this" or "Do not do that." Use a proactive and collaborative wording, for example "Your role is (…)" or "You can make a difference in (…)". Try to use disciplinary measures as a last resort only.
3. Measure the effectiveness of the program. Periodic safety tests or tests are a good way to promote and measure the success of the program with employees. Another method is to put a counter on the number of results in the section of the security documents of the intranet. Whenever possible, use experienced users within different departments to help you spread the word and make progress checks.
4. Communicate successes. Keep communication lines open with employees. Send updates on existing and future security initiatives, as well as the context or rationale for these decisions. If possible, set up a graphical security "barometer" on the company intranet to view the current state of security of the organization.
5.Let the flexible program. What is considered today as a safety best practice could be obsolete tomorrow. Plan for some elasticity in your program, taking into account factors such as: the evolution of business models and / or goals; the introduction of new technologies; emerging security threats and / or new viruses; and growth of the network and the user base (ie resulting in more points of vulnerability).
6. Expect realistic results, not miracles. In particular, malicious people will remain difficult to stop by implementing a security awareness program, especially if they are determined to hack and burn. It is as if the federal government were passing a law limiting the number of bullets allowed in a firearm and then waiting for burglars to obey. Nevertheless, simply conveying the consequences of security breaches to employees will greatly help to prevent them.
Security is a challenge, made all the more difficult by human error. Institute an awareness program to strengthen the safety chain and emphasize the responsibility of the user.