How To

Seven Practical Ideas for Security Awareness

Audry Agle suggests steps for creating the culture necessary to protect your organization

By Audry Agle

June 02, 2009 —

We've all heard examples of thieves posing as authorized personnel gaining entry into work areas to pilfer information or equipment. Often, technical controls are of little or no use in protecting the organization in this scenario as it generally exploits the trusting nature of those who have legitimate access.

It is widely agreed that the single most effective security measure is staff awareness. So how does leadership create and maintain a security-conscious mindset within the organization? Constant reinforcement; remember the average person needs to hear the message seven times before it sinks in. So here are seven ideas to help you get the message integrated into the culture of your company. (For still more ideas, see Security Awareness Programs: Now Hear This!)

1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. Offer Lunch-N-Learn sessions where staff can get tips for what needs to be shredded or locked-up at home, how to manage personal passwords, securing home-based wireless networks, etc. Your employees will welcome the opportunity to ask questions they may otherwise be embarrassed to, and youll be showing them that you care about them as individuals.

2. Make the message visible: Put posters up at fax machines, shred bins, and coffee rooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride—they're more likely to remember the content. Change them at least once per month so there is always something new. If you don't have a graphic artist on staff, hire a college kid to do the artwork, or use one of the security awareness vendors for ready-made ones.

3. Provide treats: You'd be surprised how far a donut goes to get attention. Have an occasional celebration where Security thanks the staff for doing their part.

4. Use their desk: If you have a clean desk policy, perform random desk checks after hours. (See what CSOonline's staff found in their own offices in this video tour.) Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize. For those who arent meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.