Remember grade school fire drills? Teachers demonstrated how to line up; they tested the door for heat; explained how dangerous smoke is; and a few times a year the obnoxiously loud bell rang and we’d all walk (not run) to the nearest exit. I’ll bet that fire safety ritual is forever etched in your mind, but do you know who to call in your organization if you suspect an information security issue?
The challenge for organizations when it comes to information security awareness, is that most programs are a combination of once-a-year lectures, or worse, online training (complete with PowerPoint® slides) that makes online defensive driving classes seem alluring. While this type of training may meet compliance or policy guidelines, retention for non-security professionals is minimal. In fact, the low-effectivity level has prompted noted security researchers, such as Dave Atiel, to assert that security awareness is a waste of money.
So what should an organization do about security awareness? Many in the security community are talking about establishing a Culture of Security, instead of imposing the “mandatory” annual training programs. Infusing security awareness as part of your organization’s culture requires commitments that are not always as easy to obtain as you might expect.
Security awareness must come from the top
Your C suite must support all your security polices and be regarded as fully compliant. Too often, as security professionals, we write policies that the C suite ignores—something as simple as wearing a badge and requiring visitors to wear badges. Failure to adhere is noticeable and diminishes organizational respect for the security policies.
Measure and report on awareness campaigns
Often, security professionals run awareness campaigns and track who attends the classes, but do you track and report on:
- Number of tailgaters spotted?
- Laptops left unattended and not locked?
- Phishing spots (up or down)?
Getting executives to report these stats in the company newsletter or all-hands meetings helps keep security top of mind.
Creativity elevates awareness and retention
As we said before, security awareness through traditional online and in-class training is useful, but the information doesn’t stick with us. Do something different.
- Launch a security ambassador program.
- Give out an award for best security risk identified.
- Have a donuts (or breakfast taco) and security question station as employees arrive at work.
If you are responsible for IT security and your resources are limited, the following are some simple security awareness ideas.
See it, Say it
Set up an email alias for employees to report security risks—phishing, doors propped open, loose USB devices or laptops. You do need to respond. But at least you’ll have the information, and, over time, this is where you look for your deputies or security ambassadors.
Yes, you can “gamify” security awareness. Try hosting quarterly or monthly contests. This really works. Here are some game ideas:
- Pass the balloon. Attach a balloon to an unsecured desk (laptop open; confidential information, car keys, purse left out …). After correcting the infraction, the balloon recipient has to find someone else to pass the balloon to.
- Candy for phishing. Put up a candy jar for a week. Anyone who reports a phish gets to dip into the jar. (Added challenge: you cannot eat the candy if you want to win). At the end of the week, the person with the most candy wins a gift card, or, perhaps more appropriately, a toothbrush.
Some of these ideas may seem frivolous or juvenile, but IT security is anything but that. Your objective is to establish a security-awareness mindset among everyone in the company. With more sentries on the lookout, you lower your risks of a security breach.