Staff buy-in: Your company needs you
- Article 13 of 33
- SC Magazine, February 2008
All the technology in the world won't help if your employees don't follow security policies, so how can you win them over?
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages
Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.
In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.
A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and “not taking it seriously”.
The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: “You can't trust employees to read memos.”
So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. “You need to change the culture of the organisation over several years,” says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.
“It's heartbreaking,” he laments. “Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away.”
Generating this culture of security is an important component of overall security awareness. “There's an awful lot that users need to know - too much,” Smith adds. “They're overloaded with information they're not really interested in - it's boring.” Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.
Bad awareness education can be even worse than no training at all, Smith suggests. “Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell.” Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.
Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. “Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'” Smith says.
Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. “E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with.”
Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages