Shopping Product Reviews

Employee Safety Awareness

playing big brother

No one wants to play the bad guy by monitoring every action a user takes. However, the unfortunate reality is that a good portion of security breaches are caused by staff members, either unintentionally or intentionally.

Incidents of both types come in a variety of forms:

•Theft of credit cards or other financial information by unethical employees.

•Opening infected email attachments from unknown or untrusted senders.

•Forget to unplug from workstations at the end of the day.

•Reveal passwords to co-workers, family or friends.

•Install unauthorized software on workstations.

Act first, think later

It’s one thing to foster a corporate culture that embraces security as a core value, but it’s quite another to sacrifice real investments in security technology. Gartner recommends that before companies begin to think about implementing a security awareness program, they should:

• Solidify and strengthen all business security systems and technologies.

•Establish formal and support practices for workers who use these systems.

• Invest in security awareness only when the previous two steps have been completed.

Action plan

A successful security awareness program is one that forces all employees to take their fair share of responsibility for the security of company assets. Keep in mind, however, that awareness alone can never replace comprehensive security policies.

1. Define your expectations for users. Raising awareness ultimately means changing people’s behaviour. In addition to your existing non-disclosure and acceptable use of technology policies, talk to Human Resources about making employee information security responsibilities a condition of employment (strictly on a case-by-case basis, of course). Also:

-Give precise descriptions of what really constitutes a security incident.

-Establish concise instructions for reporting security breaches, events or incidents.

-Conduct basic safety “lunch and learn” sessions for staff members.

-Make sure to clearly post all security-related documents on the company intranet.

2. Make employees the center of attention. Emphasize partnerships and people, not technology and surveillance. Empower them by declaring their critical role in information security. For example, avoid statements that say “Do this” or “Don’t do that.” Instead, use proactive, collaborative wording like “Your role is […]”, or “You can make a difference […].” Try to use disciplinary action only as a last resort.

3. Measure the effectiveness of the program. Periodic safety quizzes or tests are a good way to promote and measure the success of the program to your employee base. Another method is to put a counter on the number of accesses to the security documents section of the intranet. Whenever possible, employ power users within various departments to help you get the word out and do progress checks.

4. Communicate successes. Keep the lines of communication open with employees. Submit updates on existing and upcoming security initiatives, as well as the background or rationale behind such decisions. If possible, set up a graphical security “barometer” on the corporate intranet to display the organization’s current security status.

5. Keep the program flexible. What is considered a security best practice today could be obsolete tomorrow. Allow for some elasticity in your program, taking into account factors such as: changes in business models and/or objectives; the introduction of new technologies; emerging security threats and/or new viruses; and growth of the network and user base (ie, resulting in a greater number of points of vulnerability).

6. Expect realistic results, not miracles. Malicious insiders in particular will continue to be difficult to stop through the implementation of a security awareness program, especially if they are determined to hack and burn. It is as if the federal government passed a law that restricts the number of bullets allowed in a gun and then expected bank robbers to obey it. Still, simply conveying the repercussions of security breaches to employees will go a long way toward preventing them.

In summary

Security is a challenge, made even more difficult by human error. Institute an awareness program to strengthen the security chain and emphasize user responsibility.

Leave a Reply

Your email address will not be published. Required fields are marked *