In my career I have been asked hundreds of times what single item is the holy grail of security. Is it a firewall? Is it an Intrusion Prevention System (IPS)? Perhaps it is a Single Sign-On Tool (SSO)? No, contrary to what most vendors say, the cheapest, easiest and most effective security component of any corporation is NOT a firewall, an IPS nor is it ANY technology. So what is it?
The old axiom is true…security is only as good as its weakest link. What is your company’s weakest link? In the vast majority of companies, that link is it’s…. PEOPLE! All the technology in the world can’t stop an employee circumventing that technology to make his or her job easier.
While technologies such as firewalls, IPS and the myriad of other tools are needed and useful, they alone do not address the issues of people. How do we address this issue? What is that low cost way for ensuring that your company’s security posture improves? It is quite simple…one of the most overlooked tools in a security providers kit, Security Awareness Training.
Training is a simple and inexpensive way to increase your company’s security posture. The effort put into training your employees can greatly increase your security coverage. Think of it as the security geometric curve of effectiveness. Training allows all your employees to cover more areas with vigilance.
What are the steps to creating better security awareness at your company?
- Security Awareness is a campaign and not a class.
While a power point presentation on security can have effect it is not an effective campaign, just a component of one. Periodic security reminders are very useful in keeping vigilant in this day and age.
- Compliance
Compliance is a dirty word of today’s corporate environment. But in reality, many compliance initiatives require some sort of awareness training (HIPAA/PCI). Leverage those corporate initiatives to help educate your employees. This may be a way to find some budget for your awareness program.
- Help your employees at home and they will help you at work
One of the best ways to educate your employees is to teach them how to secure their own privacy data and home computers. This teaches them the importance of security as it relates to their own resources, not just the companies. Most employees take this to heart and will begin to see how they can utilize those same practices with the corporate assets and your customer data.
- Reward
If one of your associates sees a security issue and notifies you, play it up! A great tool for helping create awareness is to give awards when people do the right thing. Take them to lunch; write them up in your company newsletter. These little things reinforce great behavior.
- Don’t be Chicken Little
Think about the last time you paid attention to the Homeland security threat level? What is it today? Do you know? We, in the security industry have done a great disservice to many of our users. We have said the “sky is falling” so many times that people have stopped listening. Be positive in your security training. Talk about effective techniques for creating passwords, not just telling users to not use their names for passwords.
- Utilize your corporate training tools
There are many tools you can utilize to help keep this campaign going:
- Intranet/Internet – Leverage your collaboration or internal sites. Put up a weekly/daily security highlight. Link to various internet resources. Set up Security FAQ. These are all great tools to help keep that awareness high.
- Newsletters – Does your company have a newsletter? Leverage a column in that newsletter? If not, create your own quarterly security newsletter. What are the best topics…use topics that will help educate your employees on how to secure themselves AT HOME? At Home? Yes, at home. The more aware they are on security and privacy issues with their home computers, the more aware they are of the risks to your company and your customer’s private data.
- Emails – Leverage periodic emails for emergencies patches/releases. This not only affects your corporate environment, but again, it helps to educate home users. An ever increasing amount of home computers are being used to connect to corporate environments using VPN’s. Keeping your employees home computers secure is also important.
- Learning Management Systems – Does your company utilize learning management tools and training tools. Great security content works very well with many corporate LMS systems. Many larger corporations have a training department that will help you develop content.
A good training program can really increase a company’s security posture at a fraction of the cost of technology. Leverage these tools in YOUR Company to make a lasting effect.
- Security Posture Assessment - Key to a successful security program What is a Security Posture Assessment anyway? To put it simply, a Security Posture Assessment...
- Using Analytics to Measure InfoSec Success Introduction As today's companies become leaner and meaner, I see the use of performance metrics...
- The risks of SHARING! As you've probably heard or read in the news, there was a recent leak of...
Related Websites
{ 1 trackback }
{ 0 comments… add one now }