Information security professionals invariably spend most of their time and resources developing measures to prevent crooks breaking into their systems, but did you know that the majority of data breaches are caused by an employee misplacing, stealing or being tricked into handing over sensitive information?
These kinds of incidents thrive because organisations don’t place enough emphasis on security awareness programmes, which reduce the risk of human error and malicious insiders.
An effective programme can overhaul your company culture, helping employees understand their information security responsibilities and urging potential miscreants to think twice.
Here are eight things you should do to get the most out of your security awareness programme.
Grab employees’ attention with a memorable campaign launch. Announce it through multiple channels (such as in a meeting and by email) to make sure all your employees are aware of it and what it entails.
You don’t need to delve into specifics at this stage, but you should explain what the programme consists of and why it’s necessary.
Training courses are the backbone of any awareness programme, and e-learning is the ideal method. It’s affordable, staff can take the course at a time that suits them and it gives you a reliable audit trail. That means you can see who has taken the course and, just as importantly, who hasn’t.
Visual reminders reinforce your company culture and serve as a continual reminder of your organisation’s commitment to information security.
A poster by itself won’t generate significant improvements, but they provide essential supplementary support. Employees see them each day, reminding them of more in-depth advice that they learned in training courses, books and your information security policies.
Nudge theory is a type of behavioural science that prompts individual to independently make the ‘right’ decisions. It works by replacing the traditional ‘push’ learning approach, where teachers provide answers and learners memorise them, with a ‘pull’ approach, which uses indirect suggestion and positive reinforcement.
The approach is intended to help employees rationalise why certain processes are necessary. It goes hand-in-hand with training courses (which remain the most time-effective way of imparting facts), helping employees follow effective information security habitually.
Presentations are an affordable and convenient option for organisations that want to control their own information messaging (as opposed to outsourcing it to a training provider), or that want to add details that are specific to their organisation.
Nothing can replace the detail and convenience that you get from books and pocket guides. Staff can read them at their own pace, annotate them and refer to them whenever the need arises.
It’s probably too expensive to provide every employee with relevant guides, but they are ideal for managers and anyone who wants to learn more about certain topics.
As with posters, email signatures that highlight your awareness programme will give employees regular, subtle reminders of their security obligations.
As you develop your security awareness programme, you’ll realise that you can’t simply pick a framework and plug it into your organisation. Every organisation is unique, so you must account for your own specific requirements.
If you’re unsure what that entails, take a look at our Security Awareness Programme service. We assess your organisation’s requirements and provide all the tools you need to boost your organisation’s security awareness.
The programme supports the implementation of ISO 27001 and ISO 22301, and compliance with the PCI DSS (Payment Card Industry Data Security Standard) and the GDPR (General Data Protection Regulation).