Audry Agle, a former CISO, offers 7 practical ideas for increasing security awareness below. I’ve summarized some of the points and added comments of my own in italics:
1. Appeal to personal lives – Helping people deal with security issues at home tells them you care about THEM, not just company systems and data.
I found this the most useful method. I helped change the security culture at one company by offering “brown-bag” presentations during the lunch hour. Everyone wants to be treated like a valuable PERSON with problems and feelings, not simply a stupid WORKER who needs to comply. I even gained a few friends that came in handy later.
Also, I found that whatever security consciousness a person applies at home is brought right back to work. More security issues and possible problems were reported by those to whom I was able to make security a personal issue.
2. Make the message visible – posters, signs, email reminders.
One company I visited recently has a CONFIDENTIAL DATA poster at each printer, dealing with marking documents properly and picking up printouts promptly. When I was provided a laptop, a SECURE LAPTOP USE flyer was included.
3. Provide treats – Celebrate security with donuts.
4. Use their desk – Do random clean desk checks after hours and leave candy or a gentle reminder depending on what you find.
I think doing this over lunch would be more effective. No only would the people be able to make changes immediately (instead of leaving sensitive data on their desk overnight), you would run into some people and be able to interact in person (warning: not for the faint of heart).
Also, going through trash baskets, and especially recycle bins, should be standard procedure. I always learn a lot about how departments really work; wastebaskets don’t lie. More on dumpster diving and Wastebasket Audits.
5. Bring it to their computer screen – via a security newsletter or intranet page.
At one company, the help desk distributed a short email (short is the key) that I wrote to each new user highlighting basic security principles. I also had a 40-page website devoted to information security, security policies, tips, and the most popular page, the wall of shame.
On the wall of shame I posted examples (redacted somewhat) of violations. Usually, you could still tell who made the error, but it wasn’t blatant. Each incident also included how to avoid this security issue in the future. That page was checked at least weekly by many people in the company, and was very popular–and the best part, the people came to the page and educated themselves. Best mousetrap I ever built.
6. Require training – keep it short, and test comprehension.
Whatever you do, don’t invite Marcus Ranum (see here, especially #5. I disagree with him on this one, but he makes good points and the article is worth a read; besides, he’s more famous than me).
My recommendation is to do a presentation as part of the company orientation program. Talk to your HR people or ask if you can give the presentation to them first. One company gave me 10 minutes to start, but asked me to expand it to 20 minutes because they received so much positive feedback.
After a few months of doing the presentation, I found that people really liked seeing that the “security guy” was actually human, didn’t live in a cave, and could communicate with ordinary people. One person told me that I “made security interesting, and even funny.”
One last thought – recycle the presentation into brown-bag lunch presentations to cover existing employees and turn the questions that employees ask into its own presentation such as, “Most Popular Security Questions and Answers.”
7. Walk the walk – especially executives (tone at the top).
This one is tough. Many executives still don’t get it, but I noticed their ears perk up when you keep showing them, from several internal systems, how you got their entire SSN.
Agle her article ends with this gem:
“Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. Provide a phone message line and emailbox—anonymous if necessary. Make it easy to use, non-threatening, and welcome stupid questions.”
Stupid questions should be praised. Stupid questions mean that employees want to know and are will to risk ridicule to better themselves. If your security team isn’t asked stupid questions, it is not viewed as approachable or understanding.