How to Create Security Awareness in the Workplace by Robert Siciliano

Imagine if every IT security manager had the budget, the resources and the necessary talent to keep all hardware secure, business customer information safe and sensitive data protected. It would be a dream come true. The reality, however, is that it still wouldn't be enough protection. There would be leaks and data breaches, because the weakest links in most systems are people—the human element.

Two things must happen to increase security awareness in businesses: Leaders must become vocal about security, and employees must become knowledgeable. One way to shore up your business's security defenses is to train all your employees on how to handle, manage, share and store sensitive data. Employees also need to be made fully aware that a data breach could jeopardize their jobs. Leaders must learn to communicate consistently, whether it's through email, newsletters or face-to-face meetings.

There are many ways to increase awareness of security in your office: New and current employees should undergo mandatory security training on computers, staged phishing emails can be used to teach employees how not to be lured into these scams, technology can be implemented that alerts users when they’re doing something risky (real-time feedback plus instructions for correction have a powerful effect on users). Here are eight more tips to increase awareness for a more secure business.

1. Get a baseline. Collect metrics before implementing awareness efforts so you have a reference for the effects of the efforts. Metrics could vary, from outcomes of internal phishing to tracking the number of visits to forbidden websites. This way, you can measure efforts objectively. 

2. Make it fun. Don’t let a small budget be an excuse for lack of security awareness training. Be creative. For example, one company slipped its security policy document inside boxes of chocolates that were given to employees on Valentine’s Day. Indulging in the chocolates motivated the employees to take a look at the document. Another company set up a mock cubicle that contained security violations. Employees who could name all the violations were entered into a drawing for a prize.

3. Activate C-level support. This refers to high-ranking executive support in a company, and it generates lots of benefits, like support from other departments. To get this support in the first place, C-level decision makers should know how important security awareness is for return on investment. Preach and prove that security awareness will do this, and they’ll jump on it.  Another way to sway upper management is to customize newsletters and other documents just for them that include information on security awareness.

4. Involve other departments. Don’t underestimate the “smaller” departments such as human resources, marketing and legal, as they can often make security awareness training mandatory, such as for every new employee. To help get the support of various departments, incorporate a need for their expertise when generating the universal security awareness efforts.

5. Emphasize “how,” not “don’t do.” Be realistic. Though certain activities must be outright banned, realize that other activities can never be 100 percent prevented, such as use of social networks. Instead, stress the “how,” as in, how to use social media safely without risking security.

6. Vary your communications. The most effective security awareness efforts involve multiple modes. An awareness program should rely on numerous tools, such as newsfeeds, newsletters and blogs, staged phishing emails, and even video games.

7. Re-evaluate in 90-day cycles. Every three months, re-evaluate the awareness plan. Studies show this approach is most effective. Focus on three topics at the same time and reinforce them throughout the 90 days … after which there will be a reassessment to see if any modifications should be made going forward.

8. Make it personal. We are a selfish species and that’s not a bad thing. Being selfish is how we've survived over the ages. Discuss security awareness as it pertains to individual personal security. Discuss scams, ruses, social engineering and protection such as antivirus, security updates, wireless VPNs and theft prevention in your employees' personal lives as well as professional lives.

Robert Siciliano is the author of four books, including The 99 Things You Wish You Knew Before Your Identity Was Stolen. He is also a corporate media consultant and speaker on personal security and identity theft. Find out more at www.RobertSiciliano.com.

Read more articles on company culture.

Photo: Getty Images