Presenting a clear security
awareness message to all employees in Software Development Companies can be achieved by
variety of methods but all of them are not very effective and sometimes do not
meet the requirements of the organization. These methods if implemented
together lead to a comprehensive security awareness program. The organization
can also chose any one of them to address the most critical and vital issue in
the business without implementing a full fledge security program. All of these
methods have the same core message, the employee responsibility and his
behavior towards organization’s information asset’s security. Having different
media and techniques to convey this message will get audience attention. They
will be more attentive to new occurrence than to the same communication type
and method every time.
Here are some of the
methods to convey security awareness message across the organization:
- Information Security awareness training
- Computer based information security awareness
- Awareness services and reminder tools
1. Information Security Awareness Training
This is very mature,
experienced and most effective method to get users attention in a class room
environment. It helps to explain the subject and its contents in an interactive
way. The contents of the sessions could be different as per the audience
profile. Usually security awareness audience can be categorized into the
following categories.
i. Management
The management is the
ultimate and most important sponsor of the awareness program. He has a very
specific need to understand the goals of awareness program and the role
security plays in achieving their business objectives.
The presentation to the
management should focus on security threats which organization may encounter in
the shorter or longer run. It should be clearly communicated to the management
that without its support the organization and the employees will not be able to
protect information assets. Below are some of the management mistakes which
have to be highlighted in the presentation.
- Ignore security problems
- Fail to realize the value of their information reputations
- Rely primarily on technology/products.
- Fail to deal with the operational aspects of security
- Fail to understand the relationship of information security to their business
- Not providing training/ time to their staff.
- Always think quick and visible return on investment while implementing solution
ii. End Users
End users usually are not
responsible for overall protection of the information in IT Companies. They must secure the
work environment and the information they are dealing with. End users are
involved in day to day activities and use data to perform their jobs. This type
of audience requires detailed understanding of the information security
threats, damage by those threats and solutions to mitigate the damage. They
should also be familiar with the policies and procedures which will help them
to ensure performance and security.
The underline message that
should be communicated to end users is, consult your information security
department whenever something went wrong or whenever you have questions. Here
are some of the mistakes of end users which should be highlighted in the
presentation.
- Violation of security policy
- Opening unsolicited e-mail attachments
- Installing software from unknown sources
- Visiting suspicious web sites
- Not reporting security incidents
- Victims of social engineering
iii. Technical Staff
Mostly it is understood
that technical people do not require security awareness as they are the ones
who designed the system so why should they be called for basic awareness
sessions? The purpose of security awareness session for technical people is
explaining them how technology is helping out business and what is needed to
protect business and technology.
Awareness session for
technical people should be centered on technology is not driving the business,
it is the opposite. It is always the business that decides the need of
technology.
As discussed earlier, security
awareness program doesn’t mean one-size fits for all but topics have to be
customized according to profile of the audience.
2. Computer Based Information Security Awareness
Some of the companies make
awareness program easy and accessible for users at all times. They design a
computer application and install it on the company’s network which is available
all the time. By using this self-learning approach employees can access at
their leisure and then learn by themselves the topics which are of interest to them.
Mainly computer applications cover two basic modules and compliant with company
security policies. The first module is a self-assessment using a survey form.
This helps users to assess where they are lacking in understanding company
security policies. It’s a good technique for users to analyze their strengths,
weaknesses and compliance with company’s awareness program. The second module
is usually on the education of security issues, this helps users to learn and
educate themselves the company security Policies and Procedures.
Following are some of the topics which education module should cover:
- Password Construction
- Internet Usage
- Telephone Fraud
- Physical Security
- E-mail Usage
- Viruses
- Desktop Security
- Social Engineering
- Identity theft
3. Awareness Services and Reminder Tools
As discussed many times
before, the security awareness is a continuous process and it should be a part
of employee’s job description and work environment in Software Development Companies. Using reminder tools is one
of the methods to keep employees updated on security awareness topics and
remind them from time to time.
Below are some of the
reminder tools available, organization can choose any or all of them as per its
need and acceptance.
i. Multimedia Presentation
Multimedia presentation on
security awareness topics is a good and interactive tool. Employees can use it
as a refresher on all the topics which they have already covered in awareness
training. It is also a great help for remote users where to organize training
is not cost effective.
ii. Security Booklet
Most of the people in the
organization find it convenient to read hard copy of the subject instead of
soft or electronic format. Booklet in this case is an effective tool to convey
information security awareness message, organization’s objective and user’s
responsibility in protecting information assets. The booklet can also contain
information security related pictures, quotes and case studies to educate
employees.
iii. Security Posters
It is widely said that
pictures and images are more effective to convey one’s message across different
types of community. People are more prone and feel happy to see graphical
representation. Organization can design posters on different security issues
and themes and place them on public places like entry door, sports hall, dining
hall, cafeteria, recreation room, and near the water coolers in the
organization.There are lot of web sites
that offer free posters or free sample of them, you can simply download and
print them out.
iv. Computer Screen Saver
Screen savers can be a good
idea to promote security messages. Almost all of the employees in an
organization use computers and have screen savers which appear while computer
is idle. Screen savers can be developed by using security awareness messages,
quotes or graphical representation of security related issues and installed on
employee’s computer. A customizable free screen saver from Microsoft
Corporation is available.
v. Email Shots
Most cost effective tool to
remind users about security awareness is an email message. Email is widely used
communication medium and most of the staff access email once in a day. Sending
email periodically containing security awareness reminder is a good and
effective tool.
vi. Promotional Items with Security Issues
Gift items and promotional
tools like Pencils, Pens, Erasers, Notepads, Mouse pads, Key chains, Cups or
mugs etc. can be printed with security wordings, quotes and pictures and
distributed among people. This is also one of the motivational tools to remind
employees of security issues.
vii. Security Newsletter
Many of the big
organizations publish monthly or quarterly official newsletter. Add security
related news and messages in that newsletter and give free copy to all
employees could be an effective reminder. This newsletter can also be used as
motivational tool by adding best employee of the month/quarter. Who won prize
on taking care of security issues, or by participating actively in protecting
the company’s information assets.
No comments:
Post a Comment