Why Do You Need a Security Awareness Program?
Continuous education is a key way that organizations can ensure that their employees stay up-to-date with current industry best practices, and teaching employees and contractors the importance of information security and personal privacy should be an integral part of it. For organizations who process personally identifiable information (PII) and protected health information (PHI), maintaining a security awareness program allows organizations to ensure that their employees and contractors are fully aware of the obligation to and importance of keeping such data secure. Because employees and contractors so frequently come into contact with PII and PHI, they are the frontline troops that secure protected information and thus must be trained on the sensitivity of the information they control, as well as the risks associated with the information. Ultimately, in this day and age, it’s irresponsible to not have a security awareness program in place.
What Should Your Security Awareness Program Include?
Instituting a culture of compliance is the first step towards establishing an effective security awareness program. Leadership should set the tone for compliance and inspire employees to uphold security best practices. If employees see management’s focus on creating a secure work environment, that attitude will spread.
Aside from establishing a culture of compliance, your security awareness program should act as a comprehensive overview of security best practices. For example, you might hold a monthly meeting to discuss recent breaches in the news and what your employees could learn from them. This would allow leadership to engage employees’ in conversation to ask questions about potential security threats and what they could do in the event that a breach occurs.
A security awareness program is also just as much about educating as it is implementing. So, you might review with employees’ updates to your password expiration policies, and then practice creating passwords that would meet the new requirements. You might teach employees how to identify phishing attempts made via email, and then practice such phishing attempts through mock attacks. Using mock breaches during your security awareness program also allows for organizations to review and practice policies and procedures for reporting breaches and identify any issues with your organization’s incident response plan.
For additional tips on how you can plan and implement a security awareness program, follow @BenjaminWright on Twitter. To learn how KirkpatrickPrice can help you establish a security awareness program, contact us today!
These days, an important program for any kind of employer to maintain is a security awareness program to help employees and contractors in the workplace understand the importance of information security and personal privacy. As organizations control and process personally identifiable information such as credit card numbers or Social Security numbers, the organization often has an obligation and a need to secure that information. The frontline troops on securing information are the employees as well as contractors who might be in the workplace. These employees and contractors need to be aware of the sensitivity of the information they control and the risks associated with this information, such as the possibility that an unauthorized person will trick the employee into disclosing personally identifiable information. The employer today is wise to have an awareness program that covers all employees and contractors that are handling this kind of sensitive information.
One kind of awareness program is the program that’s called “Securing the Human,” which is offered by the SANS Institute. The SANS Institute is an educational organization in the information security world, and it publishes a whole range of videos that employees can watch and can click on to indicate that they’ve actually watched them and understood the content of the video. The video will warn employees about clicking on strange attachments from unexpected electronic mail where the attachment might have a virus or a Trojan built into it. Employees are trained through these videos that they should be suspicious when they get a strange telephone call from someone asking for their password, for example. These are just a few examples with many kinds of topics that need to be addressed in a security awareness program in the modern workplace.
The videos are not the only way to have a good awareness program; there are many creative things that a wise organization could implement. For example, you could have a brown bag seminar where you invite employees to come during lunch and hear your security awareness team explain the kinds of risks and threats that are most prevalent within your organization. Maybe another form of security awareness training could be to periodically send email updates to employees that notify them of different kinds of attacks and how to avoid them. In these updates, you could also remind employees that if they ever have a question, they need to contact your security team.
In order to learn more about the course that I teach at the SANS Institute, you can click the link below. Also, another link below provides more information about me and my work in private practice.