Information security has become one of the most important and challenging issues facing today’s organizations. With use of technology and widespread connectedness to the environment, organizations have increasingly become exposed to numerous and varied threats. Outsourcing and off-shoring bring new partners into an extended enterprise, with different technologies, cultures, and sensitivities to information management. Contracting, telecommuting, and mobile workers all contribute new security risks.
A survey conducted by Computer Security Institute with the participation of Federal Bureau of Investigation’s (FBI) Computer Intrusion Squad clearly stated that “Overall financial losses from 530 survey respondents totaled $201,797,340…” “Cyber-crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.”
Now time has come that organizations should elevate the level of information security education and knowledge within their organizations. A growing challenge is establishing and maintaining a strong security program. Organizations that do not have such a program need to look seriously at beginning a security awareness program to strengthen their defense system and protect their information resources. Technology alone is not a comprehensive solution.
Management awareness, commitment, and support are a few of the more common reasons given for security awareness. Involving top management and getting their support is essential in building a strong security awareness program that employees will take seriously. If management commitment is increased and the security awareness goals and message are communicated often, progress and improvement can be made in creating a security culture.
Dealing with globalization
A growing challenge is establishing and maintaining a strong security program that spans the globe. Even in organizations in which the security group has implemented a strong core program, it’s still challenging to get business units worldwide to take ownership of their security risks.
Complying with laws and standards
Many organizations find it challenging to stay in compliance with various government laws and regulations, such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as industry standards, including the Payment Card Industry Data Security Standard (PCI-DSS).
Security awareness training
Security awareness training needs a foundation of policies. Although many types of policies are in place, there must be more development of policies for incident reporting, availability/disaster recovery, and social engineering. These policies are extremely important and should be included within an organization’s information security program. Once they are developed, it is crucial that employees receive training on these topics.
More important part is that the organization has the right people to implement security successfully, meaning individuals who take ownership of security and build good relationships with others in the organization.
Information security team has to conduct information security trainings for all employees and these trainings should be are mandatory for all employees including the top management. Training may include the following:
Conduct polls or surveys about current security practices with a random prize drawing for all responders
Publish posters, short videos, and other “quick and easy” multi-media content
Plan a contest for users and let them design posters or other security-themed content
Develop an information security intranet site and host all information security policies on it
Broadcast a monthly information security newsletter which covers a basic security practice
By implementing some of these changes, organizations can increase coverage of components found in more formalized security awareness programs, achieve higher levels of security awareness maturity, and benefit from a stronger security culture.
We can protect the company’s and customers’ information assets, business operations and intellectual property, from a wide range of threats. Organizations can minimize business damage and ensure business continuity in the event of disasters and reduce chances of business interruptions as well as reduce business risks. All employees have to understand that information security is everyone’s responsibility. Any information security leak could lead to serious reputation loss for any organization.
Security is not a practice, it’s a culture!