It would be great if companies included information security as a portion of their "new employee welcome orientation" sessions.
Best led by a member of the IT/InfoSecurity team, this InfoSecurity Awareness Training would be a great way to educate and empower employees to be safe computer users and simultaneously protect the company's data, network, and tech resources.
The training should focus on software security awareness, computer and network security awareness, and social media awareness (a discussion of the company's policy for access to social media during business hours as well as any other company policies about content - if access is allowed). Emphasis should be given to complex password/login creation, use of USB drives, virus attacks, and disaster recovery plans.
Other topics to discuss include good security practices, such as, make regular back-ups, encrypt sensitive data, turn off computers before leaving the office, carefully dispose of storage devices, don't install illegal copies of software or any other personal software on company computers or devices.
With today's on-the-go and work-from-home workforce, it is also worth discussing the importance of secure Wi-Fi – best not to just open a laptop anywhere. In addition, smartphones can be hacked. Create passwords for all portable devices including smartphones, laptops, eReaders, tablets, etc. And if a security breach happens, alert the appropriate IT/InfoSecurity team immediately.
The bottom line for IT professionals is to do your research. Before you start drafting a security awareness program, you need to know as much as possible about your technology environment.
Learn how your company obtains, uses, stores, and shares information – and also understand the dynamics of your company’s specific industry – because security measures will not be the same for a bank vs. a hospital vs. a restaurant vs. a construction company.
If an IT manager doesn’t understand how a company is using its systems, it’s impossible to determine accurate security levels. In addition, find out who has access to what information and why as well as who needs access to what information and why.
Review and cross-reference the two lists to determine if the names included are correct based on job functions and responsibilities. A great idea would be to engage leaders from throughout the company who represent different specialty areas so that they too can support the security awareness program.
For security awareness to be effective, it cannot be a single event. In today’s era of data breaches and malware attacks that appear much too often, companies must promote security awareness to all employees.
An effective addendum to a security awareness training program should be weekly email newsletters sent to employees with "quick tip" reminders. If such a program is implemented, companies should require employees to sign off on the key elements of the program, just as they do when they receive new employee manuals.
Companies need to be proactive in their security protection – and all employees must do their part – but they need a security awareness program with regular updates to accomplish this.