Cybercrime is on the rise, creating massive demand for skilled information security staff in organizations the world over. You don’t need a security awareness professional in your organization — you need more! Learn how to integrate security awareness into your company by leveraging your existing IT team instead of filling a specialist role.
Although the main focus of IT security normally rests with IT department, it is important for everyone within the organization to actively take part and make sure that everybody does their part to combat the disastrous effects of data breaches and lapses in security.
What follows is a generalized description of how your organization might implement a security awareness program of their own, and how the different stakeholders can all work together to achieve this goal.
Why Security Awareness is Important in the First Place
As technologies have evolved, so too has business, and the degree to which users now rely on these technologies means that people present a vulnerability if the technologies are not protected properly. The easiest way to do this is to make people understand how the human element remains the leading cause of security failures, and how they can prevent these failures by adopting an appropriate security awareness stance that is aligned with best practice and company policy.
Security awareness development makes your organization far less likely to become the target of social-engineering-based attacks, which diminishes the likelihood of your sensitive data becoming compromised. User behavior is easy to change with the right security awareness programs and prevents the disclosure of sensitive information through social engineering attacks, failure to report suspicious activity and improper procedures such as unauthorized file access and password sharing.
The main goals of any security awareness program should be to:
- Teach users about the importance of keeping sensitive information protected
- Teach users how to handle sensitive information
- Explain the risks of mishandling information
The better your employees understand the potential consequences to both themselves and the organization, the better the chances that they will adhere to the training that they have received.
Establish Best Practices
Your company may already have a security awareness program, or you may be trying to implement one for the first time. Whichever situation you find yourself in, it is a good idea to establish what your best practices are going to be.
It is important to realize that security awareness is an ongoing process that seeks to impart knowledge to all users throughout the company on a daily basis. Security awareness is only effective if it is practiced in all aspects of the organization, and it therefore needs to be a priority for everyone that has access to company information and equipment.
Create a Security Awareness Team
In order for staff training to be successful, you will need to establish a security awareness team. This is the group of people that will ultimately be responsible for developing, planning and rolling out your security awareness program. This is by no means an exclusively IT-based team of people, but rather a cross-section of departments throughout the company that can provide insight into the roles and functions that the staff working in their departments have to perform on a daily basis.
There are no set rules when deciding how many people you would like to include in this group of people, but it is important to cover as many departments as possible. It is also critical for your security awareness program to be both inward-facing and outward-facing when dealing with issues of security.
The best way to train staff is to start with a template that focuses on the roles each employee type performs, and then allow for specific functions to be added or removed depending on the individual. For example, employees with access to financial and accounting information would have to follow a different security awareness procedure than an employee that works only with data capturing. Each department will identify potential weak points in the way that they conduct business and then plan around these potential issues accordingly. By segmenting the training, companies are also more likely to meet compliance objectives.
Chain of Command: Who Is Responsible, and for What
A role-based security awareness program needs to have a hierarchy that determines how threats are assessed and escalated. For instance, a low-level employee with limited access to resources on the network might discover suspicious activity on a network share. That employee would escalate the matter to their supervisor, who would then raise it with their security awareness representative for their department. In most cases, the next step would be to get the IT department involved, depending on how the procedure has been formulated.
In this type of setup, there are generally three different roles which form a hierarchy. These are:
This role applies to everyone and doesn’t follow any special procedures that relate to a specific department. This means that common threats and potential security issues are explained and taught to these users so that they can escalate generally suspicious activities like phishing and social engineering.
Specialized Staff Roles
Members of this group are responsible for recommending security practices to all staff and for reporting to management. They need to ensure that those below them are following procedures correctly, and they are ultimately responsible for instilling the security awareness of the company into the employees that work underneath them.
Management and Owners
The top tier of staff is generally responsible for encouraging the adherence of employees to the security awareness requirements of the organization. They are responsible for enforcing the security culture of the company and are most likely to address security-related problems as they come up with employees.
Create Minimum Standards of Security Awareness
There are many ways for companies to disseminate information regarding safety and security to their employees in a security awareness program. Generally speaking, there are components that include training, seminars, courses and computer training, and then informational components such as email circulars, memos and company-wide communications. These are deployed at regular intervals and become part of the security awareness program’s communication strategy.
Once this baseline has been established, it needs to become a part of all aspects of employee interaction with the company. New staff enrolments need to focus heavily on security awareness, and where possible there needs to be an overlap with the IT policy documentation. This helps to manage the expectations of everyone using IT resources and can speed up the induction process of new employees while affirming the security stance that the company wishes to instill in the employees of the company.
The Role of IT
IT takes responsibility for the technical aspects of managing the organization’s information security, but it does this in consultation with management and all stakeholders that are involved in each department. IT makes recommendations, but ultimately it is the company’s management and owners that decide on how these recommendations are implemented, if at all.
In instances where compliance is necessary, then the best practices that align with government policies is usually the safest way to proceed. This way, the security of the organization is assured while still maintaining governmental or regulatory standards.
Because the human element is most likely to cause breaches in security, it is important that the IT department sets the example for the rest of the company. If users know that the IT department is not following their own rules, then the likelihood of other departments taking the security awareness measures seriously is not at all guaranteed.
IT also takes responsibility for remaining up-to-date with all of the latest precautions and informing the organization accordingly. As new threats surface, training needs to be created and deployed as soon as possible, especially where active threats such as ransomware are becoming more prevalent.
Information Supplement: Best Practices for Implementing a Security Awareness Program, PCI Security Standards Council