Think Security - Security Awareness
Security Awareness is more than a method, procedure, or pamphlet; it is a state of mind. You begin each morning by leaving your home and locking your door. Traveling to work you wear your seat belt, stop at traffic lights, and use proper turn signals. Once you arrive at your place of work, other security measures are required, e.g., displaying your parking lot permit to indicate that you are approved to park there, and wearing your photo ID which shows you are authorized to be in the building.
These examples are all accomplished routinely with security being the primary motivator behind each item. They were all learned through education, legal requirements, or a bad experience.
Security Awareness regarding Information Security is usually not quite so routine, but should be! These habits are acquired through the same mechanisms as those above, but education usually comes up far short. This is a business issue that most businesses do not focus on enough until the bad experience comes along, and then it's too late. There are many reasons why enough time, money, or resources are not allocated to Information Security Awareness, but they are all insignificant when your business is under fire because of some incident that could have been prevented. Most employees want to do the "right" thing, but they have to be educated. The required education is exacerbated by the ever changing technology front.
The best way to address Information Security and keep employees abreast of the issues, measures, and desired behaviors in a cost-effective manner is through a local Security Awareness Program. Doing so can greatly increase employee consciousness to the point that desired actions become routine, positive work habits... AND, don't forget that our definition of an Information Security Awareness Program also includes Disaster Recovery and IT Compliance issues as stated in our above noted Mission Statement. So, there's plenty to dwell on and generate awareness about on an ongoing basis.
To provide a foundation for a program we suggest that you need to do two things: 1) designate a "point" person to be the focal point for the program. The additional duties would be assigned to a person who would represent/be responsible for carrying and delivering the message to your organization as required by your business type. 2) establish a monthly Security Awareness Newsletter - weekly is too often, but quarterly or annually certainly is not often enough.
This is a terrific cost-effective way to carry-the-torch for Information Security issues, deliver the awareness/education, and emphasize the importance of understanding the scope of information security. Once the foundation is in place, other components can be implemented to bolster the overall program such as posters, email and voice messages, etc. to serve as additional reminders regarding the significant role each employee plays in the protection of all company assets, including people, equipment, and information.
As an employee it is everyone's responsibility to exercise and promote good Information Security practices. One of the goals of a successful awareness program is to provide personnel with the information necessary to implement good security practices according to company published policies, standards, and procedures. The protection and care of company and client business assets are important to everyone. With a good Security Awareness Program in place, developing and maintaining good practices would become second nature, much like locking your door in the morning when you leave home.