All companies large or small can benefit from a security awareness program. Knowledge is power and educating your employees about the risks and benefits of using secure practices can only save your company time and money. What is the loss to your company if users cannot use their computers, if key company information is stolen, or the IT staff spend extra hours/days fixing the latest security violation?
A security awareness program can help with viruses, spyware, hacking attempts, physical premise access and even emergency procedures for fire, etc. Some companies believe that this will never happen to them but when you look at the statistics for monetary loss due to security breech, it is happening to someone. Hackers that write malware or break into computer systems are no longer doing it for fame and prestige, it is now about making money. With that in mind here are some basics that a company can include in their security awareness program that will keep their company and their employees safe.
Policies
Not every employee will be able to repeat the
corporate policy verbatim but a security awareness program can reiterate the policies most pertinent to the employee’s day to day work.
Passwords
While this should be covered in the policy section; password policies can never be restated too many times. Passwords to systems are as important as keys to buildings and not all employees equate the two.
Viruses
This should include not only methods for updating the
antivirus system, as this should be automated where possible, but it should also include steps for notifying the helpdesk in event of a suspected outbreak. It is important to create an environment where the employees feel that they can safely report viral outbreaks without persecution or they will not report them and potentially cause more problems.
Email
Email is one of the biggest issues with respect to
abuse and corporate security. This is an opportunity to remind employees about email content sensitivity, spamming others with the latest joke or “Social Viruses”.
Internet Usage
Remind users about the internet acceptable usage policy, about surfing to safe sites, not to surf to sites of questionable content due to “drive by hijacking”, etc. Most corporations today allow some personal surfing and as such it is a great way to remind employees to balance personal with professional.
Computer Theft
Laptops, small desktops are an easy targets, but the proliferation of PDAs is also making theft of these devices a risk to corporate security. The security awareness program should give employees guidelines for protecting the company assets by using items such as laptop tethers, putting laptops in the trunk when leaving a laptop in the car, and never leaving devices unattended.
Social Engineering
The majority of information leakage is from social engineering. People’s natural tendency is to help and provide information. While this is a desirable trait for an employee; the employees should be trained to qualify communications prior to giving out information.
Building Access
Educate the employees about how to engage the
floor marshal.
Regulatory Concerns
An effective security awareness program should emphasize any industry specific regulatory requirements as well as any broad based regulations such as privacy policies.
Conclusion
The security awareness program needs to not only address these areas but the program needs to make the employees feel like they are part of the security solution. This goal can be achieved many different ways including contests, challenges, posters, lunch and learns. It has been shown that people in general learn better through repetition. Make security awareness part of the daily work routine and you will have employees that are effective aides in corporate security.
