Information security is about you … yes, you!
By Sivanathan Subramaniam February 21, 2014
- Many enterprises approach standards from the ‘People-Process-Technology’ perspective
- However, when it comes to enterprise security, the ‘people’ is often dangerously ignored
HAVE you ever noticed how most people use a computer? They use it in the same way they use a fridge, a TV or any other appliance – that is, without having to understand how the appliance performs its function. The truth is most people don’t really want to know how a computer works.
A car can have excellent tires, but if the brakes are faulty, the car will still be unsafe. Protection against information security threats works on the same principle: All possible weak points should be secured, whether on a desktop computer, mobile device, an organisation's server, processes or … people.
It is quite common for enterprises to approach certain standards or enterprise frameworks from the ‘People-Process-Technology’ (PPT) perspective, whether it is enterprise risk management or health and safety standards.
However, this can’t be said for information security. CIOs (chief information officers) or infosec (information security) teams tend to believe that users are not part of the organisation’s information security framework. Many CIOs believe that the existing technical and process controls are sufficient to protect the organisation’s information assets.
The truth is information can be protected using technology and processes, but technology and processes are only as good as the people who use them.
Information security breaches cost organisations time, money and reputation. Evidently, most of the high-profile security breaches involve humans in one way or another: People spreading malware via thumb drives, connecting to unsafe WiFi hotspots, clicking on phishing emails, downloading unauthorised software, voluntarily disclosing sensitive information, and many others.
Fingers are pointed at the lack of awareness as the No 1 or root cause of the issue, and this problem can only be addressed using effective information security awareness programmes.
It is paramount for organisations to define, strategise, deliver and verify a comprehensive information security awareness programme for the workforce.
A good information security awareness programme should have the qualities below:
- You need to identify the target workforce (the bigger the better, of course). A realistic expectation of the participation and result should be set in the beginning and can be increased gradually.
Format & Visibility
- Formats are usually verbal, electronic or paper based and they have to be appropriate with the work environment (for instance, you can’t only make awareness content available in an electronic format when there are employees who don’t have access to electronic systems in your organisation).
- Visibility is key as this is how the target audience will see and digest the awareness content. Live training sessions, video conferences, e-learning, emailers, newsletters, intranet portals, posters, social media, cards and games are some of the channels that can be used to make the awareness content visible and reach the workforce.
- Let’s take an analogy like watering a plant. Which is more effective, drip irrigation or spraying a lot of water once a week? Obviously drip irrigation is better where water is supplied little by little to the plant (pouring all the water once a week is wasteful as most of the water will be evaporated before the plant can absorb). The same goes for running an awareness programme. Many organisations think that running a one-day classroom-based awareness session once in a year is sufficient, which is entirely wrong. You can’t possibly talk about all the security threats and the countermeasures all in one day without over-stressing the brains of the attendees, not to mention boring them.
- Having said that, too much of awareness content delivery is also not good – it will also overwhelm the employees and they start not taking it seriously. The gap between two awareness content deliveries should ideally be one month at least.
Quality of Content
- This is perhaps the most important aspect of an awareness campaign. This will determine if the workforce like what they see and whether they want more of it.
- The content has to show the impact of poor security practice in a very understandable way without getting too technical.
- The quality of delivery has to be contemporary and engage the audience.
- The content must be relevant to your business.
- Clarity and ease of understanding are key. For instance, rather than getting your workforce to read a six-page email security policy, you can deliver the policy in a manner like Email Security: 5 Quick Tips.
- Delivering security awareness campaign is just 50% of the job – you need to measure the awareness level too. A good awareness programme must be accompanied by a good measurement tool to ascertain the awareness level of the workforce in a periodic manner.
- The measurement can be done via assessments, quizzes, Q&A sessions, observations and etc.
The human layer is arguably the most overlooked aspect of an organisation’s information security initiative. This has to change quickly, and CIOs should start changing their mindset and get ready to make the workforce the most formidable defence against security threats.
Ponder this – won’t it be so cool if you could claim that all your organisation’s employees are information security champions?
Sivanathan Subramaniam is the CEO of Cyber Intelligence Sdn Bhd, an information security audit, compliance and consultancy service provider.
Security is a process
Policy framework a must for security today: IDC
Security no longer about ‘no,’ but ‘know’
Security needs to focus beyond networking layer: Oracle
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.