You’ve analyzed the risks and decided to implement an Information Security Awareness Program for your employees.
What should you include in such a program?
The following provides some examples of what you should be telling your staff about in any Information Security Awareness Program.
Personal Information Security:
Many employees do not believe information security in the workplace concerns them. Providing an overview of their own personal security provides motivation for them to understand how many dangers there are out there. This understanding may carry over into the workplace, resulting in improved awareness of situations where corporate security could be compromised. Personal information security items to be discussed could include Identity Theft and Social Networks.
Email Security and Phishing:
A common attack vector for nefarious individuals and organizations is through email, typically attachments or links within the email that entice employees to click on ‘the bait’. Your employees should be able to determine legitimate emails from phishing.
Social Engineering:
This is usually accomplished through a more personal means than just email. It could be someone showing up at your office pretending to be someone else, or it could be someone on the telephone trying to get information from you by providing false information and/or credentials. Employees should understand that credentials should always be verified.
Passwords:
Of course your password policy in the workplace should be solid and up to date. However, everyone dislikes remembering multiple passwords, so employees sometimes use the same passwords in their personal life as they use at work. This means that if they have a personal account compromised, your organization could also be in danger of being compromised. Let your users know the reasons for using strong passwords and for using different passwords for every activity.
Public Wi-Fi and Mobility:
Potentially, many of your employees travel and may use company or personal equipment such as laptops, tablets and smartphones on these travels. This means your corporate data could be in transit, both physically and across the Internet. Let your employees know the risks of sending corporate information across public Wi-Fi, and the importance of physical security for these devices.
Privacy:
This should include the privacy of your clients and your employees in the workplace, as well as the privacy of your employees in their personal lives. For example, how big business is collecting information on them and using it for purposes such as direct marketing.
An Employee Information Security Awareness Program could be critical for your organization. Taking a more personal approach to this promotes interest from your staff due to highlighting their own personal risks, yet helps to establish awareness throughout your organization. If you would like to discuss this approach with someone who has developed these programs for various organizations, give us a call.
Nice overview–as I was reading it, I realized that the movie Groundhog Day does a beautiful job of demonstrating social engineering as Bill Murray uses it well each day to learn more about the gal he’s interested in. In a way, it is one of the major subthemes of the movie.
My wife’s favorite movie of all time. I never quite thought of the social engineering aspect of the movie but good spot!