Security Awareness Program Implementation

Over the years many organizations have invested a tremendous amount of their budget and resources towards securing technology. While implementing various types of security technologies will improve defensive posture it will never fully eliminate the human threat. Many organizations are placing minimal emphasis on educating employees expecting that technology will assume most of the security burden. The only way to overcome this shortcoming is by implementing a security awareness program aimed at changing behavior as opposed to forcing security practices upon individuals.

It’s common place now days for companies to provide the minimal amount of training in order to check a box, satisfy compliance or fulfill some other type of requirement.  The end result of operating in this manner is employees obtaining an inadequate amount of training which will be forgotten within a short time thus failing to increase the security baseline within the organization.

Also another factor to consider is the mindset of the average user. When it’s that time of the year for users to participate in annual security training the typical response for many is equal to someone getting tortured. End users have to understand that they are critical component in the security process and their actions can either protect the organization or put it in an unfavorable situation. The simple way of putting it is “ It only takes one mistake by one person”.  

The first step in implementing a security awareness program is recognition that it’s not another annual training session but a tool used in altering the organization culture regarding information security. Factors to consider prior to creating such a program is listed below:

• Management support- As with any program within an organization success begins with gaining senior management support. Senior management support of a security awareness program is crucial in regards to guidance, setting goals, establishing priorities and obtaining necessary funding.
• Provide a simple explanation-Inform users why security is critical to the organization. Explaining the nature of the program is essential to gaining employees support as opposed to being forced into another training session. The organization will also need to send out a clear and consistent message that information security is an integral function of every role within the organization.
• Eliminate false perceptions- In the mind of the average user it’s normally perceived that information security is an “IT thing” and doesn’t include their involvement. End users will need to understand that everyone has a part in information security regardless of their role or technical capabilities.
• Must be organization specific- The program must be customized to meet the needs and goals of the organization. Even though all computer based threats can be relative to any organization specific threats are more applicable based on the type of business being conducted.
• Security policies- Policies need to be clearly written so the average employee understands the direction given and not get confused with verbiage or technical jargon. In some cases the average non-technical user may not fully understand the objective of the policy and possibly not following through on the requirements.
• Defining what is “Confidential Data”- The program must define the different types of confidential data that is applicable to the organization. I have attended many training sessions where they talk about confidential data over and over but never clarify what data fits into this category. Without full clarification of what information falls into this category data mishandling can easily take place without the user being aware.
• Focus on data protection- One of the main goals of a security program is to protect the organization’s data. Make sure the program provides direction on storage, handling, safeguarding and disposal.
• Covering threats- Most times annual training program covers the same topics over and over causing employees to lose interest within a short amount of time. Since technology is constantly changing training should constantly adapt to current threats and trends. The best way to create a perfect balance is to cover current trending threats along with those most applicable to business operations.
• Discuss liabilities- This should not be used as a scare tactic but to drive home the repercussions of security incidents involving financial liabilities, company reputation, legal implications, great amounts of company resources, etc. Providing examples can offer better insight to the problems security incidents can impose upon an organization.
• Inform the masses- Communicate with users periodically and not annually or when an incident occurs. Include posters, newsletters, email tips, blogs and reminders. Depending on the type of organization other creative options may be available. 
• Dedicated web portal- Providing a dedicated web portal would not only make security information easily accessible but also serve as a central repository of all security based materials. When information is complex or not easy to obtain users most times will avoid using the resources. A web portal can also serve other purposes such as reporting incidents, presenting questions, relay new information, etc.
• Personal uses – Elaborate upon the fact best practices in the office can relate to protecting your confidential information at home. When users incorporates safe computer usage at home as well as in the office environment better habits are formed.
• Knowledge testing- Utilizing a method of testing before and after training events will assist in gauging the effectiveness of the program. Random testing throughout the year will also establish areas of weakness and the opportunity to correct knowledge deficiencies.
• Make it interesting- Studies have shown that users are more engaged with interactive materials in place of typical video formats or other training methods. If the program content is not interesting the organization will more likely have a low rate of participation and information retention.
• Include everyone- Regardless of the individual roles within an organization participation would be required. It can be assumed if any person utilizes a computer or other type of technology asset would need to be included. Full participation would be required because It only takes one person to initiate a security incident circumventing the main purpose of the program.
• Encourage feedback- Feedback is a great way to make program adjustments to fit the needs of the users and the organization. Depending on the users some topics may require additional emphasis, presentation in a different manner, different delivery methods or other recommendations to increase effectiveness of the program. 
• Updates and changes- We live in a world of constantly changing threats. Make sure that content not only follows new trends and emerging threats but also those aim at securing the business. Also delivering the same content over and over may quickly cause users to lose interest.
• Front line managers- In order to optimize the effects of the program front line leaders will need to participate and continue to reinforce the message to their direct reports. In this situation failure to gain support from these leaders can initially cause small setbacks and hinder the success of the program.
• Metrics- Metrics will be needed in order to gauge the success of the program. Data to create the metrics will need to be collected prior to the start of the program to form a baseline. After the baseline is known new data can be used against it gauge the success of the program. Data to create metrics can be generated by a short email questionnaire to start gauging knowledge and retention.

In closing, as we continue to live in a technology driven world where money, company reputations,customer loyalty and privacy to name a few are at stake we can no longer ignore the fact that employees are the last line of defense.