The importance of employee awareness to information security

Abstract

The business case for information security has never been stronger - but if security infrastructure is the engine, staff awareness is the oil that makes that engine run. Our clients are the growing few that have recognised the critical importance of engaging personnel. Three recent awareness campaigns that The Security Company (International) Limited have run illustrate just how important this investment can be to the success of a company's information security policies and infrastructure. Client 1: a global insurance group with thousands of call-centre employees around the world, each with the data which costs millions of pounds each year in investment in security infrastructure to keep secret. Connected to their ears and mouth were total strangers who may or may not have a right to access that information. For this client, we ran an extensive employee-awareness campaign - e-learning, rolling internal marketing campaigns - and we built an information security knowledge zone, a Web-based repository for their policies and procedures that is easily searchable, accessible and user-friendly. The result has been increased awareness throughout the organisation of the basics of information security. Client 2: a major international bank undergoing an organisation-wide security review. We ran an e-learning campaign aimed at teaching managers and senior staff how to audit their existing data protection and security processes. What emerged was that many departments were operating to years-old security standards. Patches had not been installed on protective software, and awareness of changes in policy was low. Our client was able to review procedures cost-effectively, but more importantly, identify risks early on, saving money and reputation in having to put them right at a later date or when they have already gone wrong. Client 3: a major international business tasked with maintaining awareness of security policy throughout a loose network of free-lance employees, temporary staff and part-timers. We developed an induction programme based on our proven information security knowledge Zone, and implemented a supporting rolling campaign of security awareness. The longer employees remained at the organisation, the more they were expected to know.