Awareness

The weakest link in any security program at any organization is the user. A normal user does not consider security when they think of their job function. Part of any quality security program is teaching users what security means to the company and how each user impacts the process. Understanding the risks to the company and what steps they can take to help prevent intrusions provides each user with a sense of responsibility to help protect company resources.

1. Make security part of the hiring process.

   Good security is taught from the moment a new employee signs on with the organization. New employees should be briefed on the importance of the organization's information assets and the impact quality security practices can have in protecting those assets. Procedures should be defined from the onset in the employee handbook and each individual needs to sign an AUP that ensures they understand what limitations are placed on their use of the company resources.

2. Support from upper management is essential for security practices.

   No security program can be successful without the total understanding and support of upper management within the organization. Employees at all levels must understand that management believes security is enough of a concern that they stay involved in the process. In most cases, the security policy defined by a company needs to be backed up by upper management or the entire security program lacks the credibility to be enforceable at the organization.

3. Lead by example.

   Upper management can also provide support for the security processes and procedures within an organization by making them the example to follow. Employees notice managers who consistently use good security practices. Unfortunately, managers who talk about how important security is but fail to follow through in their own actions are noticed even more by employees who may not completely understand the value of security to the organization. Actions speak louder than words and managers are in a position to prove the true impact that good security practices can have on the organization.

4. Provide security and policy training.

   When new hires are brought into the organization, they are given a lesson in how the organization views security and what the policies are that govern security within the company. But employees who do not work with security processes every day soon forget what they have learned. Security training is an annual reminder to every employee about the security goals of the organization and where they fit into the overall scheme.

   Security awareness training must be driven by upper management so that all employees understand that security is a corporate priority. Managers will find it useful to reiterate the security policy and acceptable use policies. Annual training helps mitigate the "out of sight/out of mind" condition that develops when users in accounting or human resources do not work with security practices on a daily basis.

5. Perform clean-desk spot checks.

   Some organizations have implemented spot checks at various times of the year to ensure that employees are not leaving sensitive information on their desks or work area. In the commercial world, it is rare to see a company that considers its information in terms of level of secrecy. The term Sensitive But Unclassified (SBU) refers to information that may not seem important on its own but when multiple pieces of this type of information are viewed in aggregate, they reveal a larger and more sensitive picture of organizational activity. Third-party cleaning crews, maintenance crews, and contractors are all reasons to ensure that sensitive corporate information is hidden from view when not in use.

Different organizations have different needs for security. The security policy they develop contains all the information relevant to the organization's security responsibilities and expectations. But creating the master plan and implementing the solutions are sometimes simpler than trying to help employees and co-workers understand what their security responsibilities are.

Reality says that the security awareness training should be a combination of real world security information, such as statistics on financial losses and associated intrusions, and the conveyance of the information contained in the organizational security policy. Companies prefer this methodology because it first provides a basis for the employee of why security is so important and then shows them how their own organization has decided to confront the security threats. Employees will find it easier to adapt to security policies if they understand why they are important.

Security training is typically held on an annual basis for all employees within an organization. There are a couple of different reasons. First, each employee has their own job duties that may or may not directly involve implementing security into the organization. For those individuals in finance, accounting, human resources, or graphics design, security does not come up everyday. The best analogy is the "out of sight/out of mind" concept. Employees who do not have security in their job functions will not think of security constantly. The annual iterative training helps reinforce security concepts.

The other reason companies prefer annual security training is that security policies are not static documents. They change over time and may have important additions of which employees should be aware. Annual training ensures that employees understand the policies as they exist in the current timeframe. New threats and risks can be brought forward and introduced, along with each employee's responsibility for combating those risks.