Information Security Awareness training – A vital control in securing your IT environment
“There is no security patch or update available for download to fix the human stupidity issues”
Today nearly every organisation may have set up firewalls and intrusion prevention and detection systems and other security devices in order to prevent any attacks from the outside world but that’s not enough to ensure security both internally as well as externally. Employees and organisation’s other stake holders too play an important part when it comes to the information security of an organisation.
In recent times many of the large enterprises have reported staff-related incidents. This shows that there is a completely lack of security knowledge among the employees and this might have its adverse effects to. There are also an increasing number of incidents involving peer-to-peer ﬁle-sharing using work computers. As well as breaching copyright, this can also have a big impact on the organisation’s bandwidth for legitimate use of the Internet.
Consider a scenario where an employee just to ensure that he doesn’t forget his workstation or server password, writes it down on a notepad and leaves it unattended on his desk. Anyone who gets hold of that notepad can get the password easily and compromise the entire network. Also what is the use of firewalls if the employee unknowingly brings a malware loaded CD-ROM or a USB stick or browses some malicious website or may be even download virus affected files from the internet. That’s the reason why employees are considered to be the weakest links when it comes to security and raising awareness among employees is of utmost importance.
Challenges organisations face in having an effective Information security awareness program:
It is very difficult to make the employees and the management buy the security awareness program. There are several challenges that one needs to face while implementing a security awareness program.
- Low credibility of security department: There is every possibility that security staff would not always be able to understand the company functions also there might be lack of professionalism within the security department.
- Organizational culture: There are companies which would hesitate to incorporate a security awareness program as it would not directly associate with the success of the organisation and they might be of the cultural view that ‘‘we’ve never done it that way before’’ or ‘‘we always do it this way’’. Thus it becomes very difficult to make the management implement security awareness program.
- Naivete: Some organisations feel that they cannot be attacked in near future as they have not had a past that shows any records of threats faced or attacks taking place and they also have a tendency to show full faith on their employees by assuming that they would not do any such acts that would put the assets of the organisation in danger. Thus they might feel unnecessary to have a security awareness program.
- Perception of a disappearing threat: There is tendency that employees might not feel necessary to improve their security awareness on the threats that they feel are outdated.
- Departmental or employee indifference: Employees are always under too much work pressure and they already have various tasks assigned to them in the office. They sometimes get overworked. And if they are asked to follow the security policies that are given to them during the awareness program then there are less chances of them following it as they have a feeling that securing assets of the company is job of the security department.
- Lack of reporting capability: It is important to have a feedback system in place so as to get measure of the effectiveness of a program and report this back to the management. Hence the employees should have a proper security reporting system. Information collection is the basis of a security management plan.
The Information security awareness program should be imparted and focused on the entire organisation. The higher management should set proper example for proper IT security behavior and see to it that it is deployed and implemented in a proper way. The awareness program should be aimed at all the levels including the senior and executive managers too.
Planning the Information security awareness program:
Following are the steps that need to be followed for Information security awareness program:
- Define the audience: Basic information about the audience (e.g. name, age, sex, etc) also the information about their positions and backgrounds in the organisation (e.g. HR department, management level, etc). Here we can also consider the audience from the third parties that the company might be dealing with.
- Determine audience needs: It is important to know about the audience needs and this can be achieved by either giving out a questionnaire or one-to-one interview.
- Define performance objectives: Performance objects are based on the assessment of the audience needs and this would be helpful when imparting training and education to the audience.
- Identify resource support: Taking into account all the parameters that are available, like budget, staff members and support from other parts of the organisation.
- Management approval: This is extremely important stage as you need to have strong reasons for carrying out a security awareness program so as to get management approval for the same.
- Select delivery systems or media: Here we decide what should be a way by which the security awareness among employees should reach. It may be through presentations and workshops, posters and hand bills, screensaver displaying security awareness alerts on employee’s workstation, videos, emails, etc.
Awareness is not just training but the whole purpose of Information security awareness presentations is simply to focus attention on threats to the organisation and individual posed by various external and internal sources with malicious intents. Information Security Awareness programs should be such that they should enable individuals to recognize IT security concerns and respond accordingly. Also such programs should be encouraged in every IT and IT-dependent organisations be it a large or medium or small business.