A culture of security
By Lee Hezzlewood
Published: October 21 2008 15:55 | Last updated: October 21 2008 15:55
Data loss by major organisations keeps on happening. Why? The simple answer is that many organisations don’t have a “culture of security”.
Virtually all have passwords or biometric security to control access to systems, and swipe cards and high fences to control physical access, plus vetting of staff to check backgrounds and criminal connections. But not enough engender a culture of security with all staff, encouraging them to be aware of how security interacts with their day-to-day role, how they have a responsibility for the security of the information they work with, and how to protect that information and themselves.
As an IT security consultant, I am constantly assessing the security implications of a particular course of action – will this change affect the security of a system, does that person or role need that information, does the data need to be sanitised before being distributed, and so on.
While staff within an organisation should not go around constantly looking over their shoulders, organisations should be proactive in educating their staff about security. Teaching staff the basics should be as important as showing them the fire escapes and the canteen.
So why not add a security awareness element to staff induction processes? The program should be informative, educational, fun, and interactive for it to make an impact. Merely getting to staff to read and sign security policies is not enough. Few people will remember them and even fewer are unlikely ever to review them.
Existing staff need to go through a similar process on a regular basis as part of their annual review to ensure everyone has the same security grounding and a mechanism for continual improvement and assessment.
Hold open workshops or intranet forums designed to promote a security culture and raise awareness of specific topics. Make them interactive and encourage open and frank debate. Get staff to recommend improvements in security and have topical discussions on relevant news items. Try discussing how your organisation could fall victim to a security incident and what steps you could take to stop it happening.
It is vital, though, not to bore staff or patronise them. But educating them about security will raise their awareness of the risks and threats to them and the organisation and reduce your risk profile. A regular programme will keep the knowledge fresh and ensure staff are informed of new issues or changes to procedures.
Staff are the eyes and ears on the ground. With the right education and encouragement they can provide a valuable resource in preventing security incidents and perhaps reduce the chances of their organisation being the next news headline.
Lee Hezzlewood is an IT security consultant with Pentest Limited
Copyright The Financial Times Limited 2008
No comments:
Post a Comment