Whether it is the FBI’s sheepish acknowledgement that at least 10 of the 160 agency laptops that have gone missing in recent years contained “sensitive or classified information” or the drama of retailer TJX’s admission that the incident that put its customer credit card information in the hands of thieves impacted more people than originally thought, security incidents keep making headlines and vexing organizations.
Unfortunately, even the best security technology in the world can’t completely protect a company from the biggest vulnerability it has — its own end users. Security researchers repeatedly label end users as the biggest threat to enterprise security. Unlike applications that can be patched or systems that can be hardened, end
how To Get the Word out to your Staff
All the technology in the world can’t keep your information safe if your workers aren’t clued in to company policies. Here are tips for effectively communicating information security to workers:
Know your audience, and consider the most effective media for getting a particular message across to different crowds. Baby boomers prefer straightforward communication, such as well-written memos, while Gen Y workers prefer messages that are quick and to the point.
users — whether through naivete, carelessness or malicious intent
— continue to expose IT resources to serious security threats.
“Security is fundamentally a human issue,” says Scott Crawford, an analyst at Enterprise Management Associates in Boulder, Colo. “Human nature can be totally unpredictable, so when it comes to IT, the risk posture changes every day.”
And as enterprise data becomes more portable and thus more vulnerable to an evolving list of threats, both the dangers and the costs associated with these risks continue to rise. Companies face serious economic consequences from data breaches that can damage their reputations and result in remediation expenses, fines and other costs.
A study conducted by the privacy think tank the Ponemon Institute and funded by security vendors PGP Corp. and Vontu Inc. pegs the cost of a breach at an average of $182 per lost or exposed record. And costs can rise beyond that, depending
use interactive communication techniques, such as video games and comical multiple-choice quizzes. These can be engaging and let managers assess the effectiveness of communications.
Avoid top-down edicts on corporate se-
curity policies, which don’t resonate well with
younger workers. Annual broadcasts aren’t fre-
quent enough and are quickly forgotten.
try to make newsletters or e-mails
colorful. For instance, a set of “Did you
know?” bullet points can be both entertaining
and educational.
in face-to-face meetings with work-
ers, explain not only what is being done (for
example, desktop encryption), but also why
both on the business the breached company is in and how critical the records are to that organization. For example, data aggregation vendor ChoicePoint Inc., which delivers risk management and fraud information to clients in the insurance industry and other fields, watched its market capitalization plummet $720 million after news that 145,000 consumer accounts were compromised after a breach of its systems.
But while safeguarding networked information in a time when data is so mobile is a challenge, businesses that apply the right security techniques and technologies can successfully protect their resources. This starts with having the best first line of defense possible: an effective set of enforceable enterprise security policies that address how and by whom information should be accessed, stored, transferred and handled. Organizations need to communicate policies to staff members, contractors and partners that have access to this information.
“What you want to do is create in your organization a culture that has security in its core,” says Robert Lerner, an analyst at Heavy Reading, a New York-based market research firm. “When you create that, you immediately have a much more secure organization.”
Lerner says communicating the policies that control all points of data contact — both incoming and outgoing — is really what forms the foun-
it’s being done. Be sure to allow employees to ask questions and provide feedback. It not only helps them feel like their opinions matter, but managers can also draw from their ideas to improve policies and operations.
Offer workers security-related information that can be applied outside the work-place, such as the technical risks of sharing iPod songs on a peer-to-peer level; employees are more likely to pay attention to policies that also apply in their personal lives.
have a communications specialist or business executive discuss the importance of information security. This can help convince employees that the topic is a business issue — and not something they solely equate with IT.
References:
Archives