We've all heard examples of thieves posing as authorized personnel gaining entry into work areas to pilfer information or equipment. Often, technical controls are of little or no use in protecting the organization in this scenario as it generally exploits the trusting nature of those who have legitimate access.
It is widely agreed that the single most effective security measure is staff awareness. So how does leadership create and maintain a security-conscious mindset within the organization? Constant reinforcement; remember the average person needs to hear the message seven times before it sinks in. So here are seven ideas to help you get the message integrated into the culture of your company. (For still more ideas, see Security Awareness Programs: Now Hear This!)
1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. Offer Lunch-N-Learn sessions where staff can get tips for what needs to be shredded or locked-up at home, how to manage personal passwords, securing home-based wireless networks, etc. Your employees will welcome the opportunity to ask questions they may otherwise be embarrassed to, and youll be showing them that you care about them as individuals.
2. Make the message visible: Put posters up at fax machines, shred bins, and coffee rooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride—they're more likely to remember the content. Change them at least once per month so there is always something new. If you don't have a graphic artist on staff, hire a college kid to do the artwork, or use one of the security awareness vendors for ready-made ones.
3. Provide treats: You'd be surprised how far a donut goes to get attention. Have an occasional celebration where Security thanks the staff for doing their part.
4. Use their desk: If you have a clean desk policy, perform random desk checks after hours. (See what CSOonline's staff found in their own offices in this video tour.) Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize. For those who arent meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry. Supplement your newsletter with a monthly email to all staff with a short message about a timely and relevant topic—PDA safety, emergency preparedness, or a reminder of who to call for suspicious incidents. Provide a Security page on your employee intranet that lists the security policies, important contact information, links, etc.
6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways. Try to keep it short, and test comprehension.
7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom. Advertise internally when someone does something that thwarts a potential attack, or comes up with a control that bolsters the security of your organization in a cost-effective manner. Use incident exercises at all levels, including executive leadership.
Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. Provide a phone message line and emailbox—anonymous if necessary. Make it easy to use, non-threatening, and welcome stupid questions.
A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced. ##
Audry Agle, CISSP, CBCP, MBA, is an independent consultant in the San Diego area assisting businesses in the development and maintenance of risk management programs.