Information Security awareness for Employees: Not a choice anymore, its mandatory now!

Ravinder Arora, Head - Information Security, Iris Software Inc | Wednesday, 13 September 2017, 10:34 IST

Information security has become one of the most important and challenging issues facing today's organisations. With use of technology and widespread connectedness to the environment, organisations increasingly have become exposed to numerous and varied threats. Outsourcing and off-shoring bring new partners into an extended enterprise, with different technologies, cultures, and sensitivities to information management. Contracting, telecommuting, and mobile workers all contribute new security risks.

A survey conducted by Computer Security Institute with the participation Federal Bureau of Investigation's (FBI) Computer Intrusion Squad clearly stated that “Overall financial losses from 530 survey respondents totalled $201,797,340…”

“Cyber-crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.”

Now time has come that organisations should elevate the level of information security education and knowledge within their organisations. A growing challenge is establishing and maintaining a strong security program.

Organisations that do not have such a program need to look seriously at beginning a security awareness program to strengthen its defense system and protect their information resources. Technology alone is not a comprehensive solution.

Management commitment

Management awareness, commitment, and support are a few of the more common reasons given for security awareness. Involving top management and getting their support is essential in building a strong security awareness program that employees will take seriously. If management commitment is increased, and the security awareness goals and message are communicated and communicated often, progress and improvement can be made in creating a security culture.

Dealing with globalization

A growing challenge is establishing and maintaining a strong security program that spans the globe. Even in organisations in which the security group has implemented a strong core program, it’s still challenging to get business units worldwide to take ownership of their security risks.

Complying with laws and standards

Many organisations find it challenging to stay in compliance with various government laws and regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as industry standards, including the Payment Card Industry Data Security Standard (PCI-DSS).

Security Awareness Training

Security awareness training needs a foundation of policies. Although many types of policies are in place, there must be more development of policies for incidents reporting, availability/disaster recovery, and social engineering. These policies are extremely important and should be included within an organisation’s information security program. Once they are developed, it is crucial that employees receive training on these topics.

More important part is that the organisation has the right people to implement security successfully, meaning individuals who take ownership of security and build good relationships with others in the organisation .

Information security team has to conduct information security trainings to all employees and these trainings should be are mandatory for all employees including top management, like:

• Conduct polls or surveys about current security practices with a random prize drawing for all responders

• Publish posters, short videos, and other "quick and easy" multi-media content

• Plan a contest for users and let them design posters or other security-themed content

• Develop an information security intranet site and host all information security policies on it

• Broadcast a monthly information security newsletter covers a basic security practice

By implementing some of these changes, organisations can increase coverage of components found in more formalized security awareness programs, achieve higher levels of security awareness maturity, and benefit from a stronger security culture.

We can protect the company’s and customers’ information assets, business operations and intellectual property, from a wide range of threats .organisations can minimize business damage and ensure business continuity in the event of disasters and reduce chances of business interruptions as well as reduce business risks.

All employees have to understand that information security is everyone’s responsibility. Any information security leak could lead to serious reputation lose for any organisations.

Security is not a practice, it’s a culture!

CIOTechOutlook TV