One has to wonder why more firms don’t educate their internal staff? We know - especially in this age of BYOD, remote working, and digital interconnectivity - employees lacking basic security best practices are a primary vector for data leakage through social engineering, poor passwords and lost/stolen devices.
Sure, we in the security industry can roll our eyes, feeling that we have read about the importance of best practice repeatedly over the past decade (or two), but we might just be preaching to the converted.
Think about it for a second: the lady in Accounts or the guy in Sales are unlikely to be spending their time reading about IT security over breakfast or lunch. I am even willing to bet that they don't follow Twitter accounts that focus on breaking IT security news.
When we gulp in shock at some basic security FAIL on behalf of a typical computer user, are we not like a Beyonce-obsessed teen, shocked that someone didn’t see the latest news story about her? (FYI - I am told she has posed for pictures without makeup. And yes, it did make make the front page of many publications.)
It’s surely not very difficult to set up quarterly mandatory training for all new personnel where they are walked through the company security policies and their responsibilities. Maybe rather than trying to build hugely comprehensive training modules, we need to just get out there and get the basics communicated clearly, concisely and regularly.
Following training, employees could even take part in a subsequent quiz to ensure they have understood the rules. They could even - gulp - be asked to sign an agreement where they promise to adhere to all the rules, or agree to face some sort of disciplinary action.
Whatever approach works best for your organisation, CIOs would be wise to create a tiger team that involve representatives from IT, HR and Legal to create a top ten list of security basics for all employees. Make posters, send internal emails, have competitions...anything that will help those who don’t live and breath security understand the importance of following these rules to protect both them and the organisation they work in.
--
If you are a CIO and want to learn more about security training, We hope to see you at our upcoming e-crime and information security Congress in London on the 10-11 March.
Tags: survey report CIO CISO training security education policies best practices.
