Unless IT security is a core element of someone's job, it is not necessarily considered a skill that is part of his or her ongoing development needs. All too often new employees get just an initial presentation on security from the IT department when they start, and they are expected to remember it and keep up to speed with (and adhere to) ever-changing IT security policies and procedures.
Without an ongoing systematic and proactive user awareness program, however, a strong security posture is in jeopardy. There is no cure for stupidity or genuine human error; but you can educate your workforce to help employees make the right decisions and avoid unnecessary mistakes. Here are four reasons security policies fail:
1. Policies are lost in a sea of paper. Consider how you currently tell your workforce about the security risks your organization faces: You probably hand your employees a 20-page dossier and expect them to read and digest it. The problem is that most IT security policy and procedure manuals are written in a language to impress regulators, lawyers and auditors; the average employee doesn't stand a chance.
2. Employees are left to stumble in the dark. Remember back to your school days: Most people learn faster from practical experience rather than just reading a text book. Staff need multisensory input if they are going to fully appreciate relevant policies and procedures and understand exactly what their responsibilities are. If you expect them to play their part in protecting the organization, don't they deserve to be shown how to do it? Online videos and interactive training that can be viewed at their convenience do the job very well.
3. Employees are afraid to ask for help. An employee's ability to take appropriate actions if, and when, a security incident arises is paramount. If anyone in your organization were to discover a breach, would he know what to do? If something he had done had caused the problem, would he put his hand up and come clean or try to cover it up? Making sure employees understand the risks of leaving any security breach unreported and are not scared of reporting potential issues is of paramount importance.
4. Management doesn't practice what it preaches. This is a common problem for far too many organizations -- and it's not just a security phenomenon. Orders from on-high dictating what employees must do are regularly ignored by management. If that's happening in your organization, you need to stop it -- today.
Actions Speak Louder Than Words
To create awareness among your workforce to the IT security risks that organizations face, here is a seven-point action plan:
Action 1: Rewrite your IT security policies and procedures. Use language that will actually be understood by employees, and not just impress an auditor. Spell out the risks the organization faces for non-compliance.
Action 2: Consider changing the way you introduce security as part of the induction process. Smaller, more manageable documents are easier not only for the recipient to grasp, but also for the organization to review and update. In addition, by "drip feeding" the information, people are more likely to find time to read it and build a deeper awareness of security issues while reinforcing security fundamentals.
Action 3: Review and update processes regularly, and keep staff up-to-date. Just because an employee had a security briefing when he joined the company 10 years ago doesn't mean he knows the risks today. Educate staff, regularly, to make sure they understand what's expected of them, especially when things change.
Action 4: Consider using an automated system to deliver policies and associated documentation directly to employees at their workstations. This makes the whole process manageable for staff and managers.
Action 5: Introduce testing, either for all or a proportion of users. This will help identify where policies aren't understood so they can be rewritten to make sure everyone knows what they are doing and, as important, why. You'll also be able to identify weaknesses and therefore focus training energies on the necessary areas.
[Where Do Insurers Stand on Mobile Security Today?]
Action 6: Get employees to sign on to support key policies. As part of the process, include the consequences if they break the rules. That said, make sure they understand that genuine errors are expected and should be reported, not ignored or covered up.
Action 7: Take action against offenders. If people see policies being enforced consistently at all levels within an organization, and where appropriate disciplinary action is taken against those who wilfully neglect corporate rules, people are more likely to take notice of security information. When employees realize the circumstances and the consequences of security policy violations, it nudges them to choose the right course of action and perhaps be more prepared to encourage others to conform to standards of behavior within the acceptable governance framework.
At the end of the day, IT, business leadership and employees all are in this together, and every single person in the organization needs to understand the part he or she plays in defending the organization and keeping it secure. Don't just assume that because you've got written policies and procedures to follow that the people in your organization are security aware.
Dominic Saunders has worked in the IT security industry since 2000, holding key roles at both the reseller and vendor levels. As a co-founder of NETconsent, Saunders is now the SVP for NETconsent worldwide following its merger with Cryptzone, a Gothenburg, Sweden-based provider of IT security solutions, in December 2011.