In a previous post, I talked about the importance of security education and awareness programs for employees. If you are an IT administrator or a business owner reading this blog you may feel that in theory this is great and makes sense, but in real life, resources and time are precious commodities that could be used on other projects.

Very true, but as Emmanuel Carabott explains in two recent posts, Security: The Human Element and Fake Update for Microsoft Outlook/Outlook Express, an organization’s employees are a security threat to be reckoned with because they, ultimately, are those using (tinkering) with the technology.

The rationale behind security awareness programs is not to castigate or belittle employees’ lack of knowledge but rather to help them understand and appreciate the value attached to the organization’s data and also the repercussions if that data is compromised or lost.

Awareness programs will vary from business to business and the ‘organizational headaches’ get worse the larger the organization; however, there are some pointers that can help to ease the pain and make security awareness programs a success. The following is not an exhaustive list but program essentials that can apply to any organizations considering a security awareness program.

  1. Plan well. Each step of the program must be well thought-out. Who is your audience? How does security risk differ between departments? Do you need different content to address concerns in different departments? Do you take the one-for-all approach or tailor your content for smaller groups? This is particularly relevant as the organization grows in size. How will the content be designed and by whom? Will it be online or classroom style?
  2. Support from above. The success of any internal program needs to be supported by executive management. Without a senior member of management showing active interest in the program and encouraging staff to participate, employees may be reluctant to attend and fail to take anything of value.
  3. Make the most of the resources you have. If the organization has a marketing or communications department, use their skills to prepare the content or to package the message intended for employees. They can also provide feedback on the effectiveness of the messaging from a non-IT perspective.
  4. Language, please. A sure way to kill of any security awareness program is use of the wrong ‘language’. The majority of employees – from the CEO down to the receptionist – do not understand technical jargon. If the message is wrapped in tech-speak you will not only lose your audience but alienate them further. Every message should be explained with examples that employees can understand and associate with. Talk about situations involving the organization itself, even if hypothetical, to get the message across.
  5. Company-wide sign-off. Have all employees who attended the security awareness program sign a document in which they acknowledge their attendance and awareness of the company’s security policies. Not only does it make the program ‘official’ but it can mitigate frivolous lawsuits or employees claiming that they did not know the rules.
  6. Regular communication. Few people have such good memories that they will remember all that has been said. If they are basic computer users, certain concepts or instructions will take longer to take effect. If the organization has an internal newsletter or magazine, a monthly article will help to refresh people’s memories. Sending out a monthly email to all pointing out some important security news or new social engineering threats (beware of those twitter invitations) can go a long way to reinforcing the message as well as keeping employees abreast of security issues. Written in simple yet engaging language, employees can find these articles / emails to be of interest. Encouraging them to pass on to family and friends would not be a bad idea.

Security awareness programs will vary greatly between organizations and their success will depend on many factors, not least the employees themselves. Even if 50% of staff listen to what they are being told and apply what they’ve learnt, the organization will have benefited a great deal.