What Does Security Education Look Like at your Company?
Security experts say that employees are the weakest link in your security chain. In fact, CSO’s recent survey, the 2016 Global State of Information Security Survey, reinforces this. When security professionals were asked what the likely source of security incidents is, the top response from an insider perspective was current employees. When nearly a quarter of enterprise organizations report losing more than $1M as a result of security incidents, it’s understandable that companies begin to question what else they can do to minimize threats.
Being a privately held company, the legal requirements related to security are not as stringent as those for public companies; however, being the world’s leading technology media, events and research company with our main corporate value of providing information on information technology means that we may be tested to see if we practice what we preach. Additionally, our journalists and researchers are sometimes in a position where the work they produce or write about focuses on individuals or groups that are alleged to conduct outsider attacks, which can lead to being a target – if you anger the hackers, they may attack!
We’ve always focused on keeping our information and technology secure – financials, HR, our websites, and research content. Compliance with the Payment Card Industry (PCI) Data Security Standards is a priority, and when the PII (Personally Identifiable Information) laws came into being, we made sure we had policies in place and processes to check that we are in compliance. But we began to ask ourselves what else we could do to engage employees around security education and awareness. It’s often typical to find that employees’ perception of security at their company is that it’s primarily an IT job. So, a year ago we decided to try to change that perception within the walls of IDG. We created a new program called IDG Security Smart to help our employees understand their role in keeping IDG technologies, information, and data safe and secure. We started by surveying our U.S. employees to get a baseline measurement of their security education and awareness. Then, we made it a point to sit down with individuals across the organization to get their perspectives. We interviewed managers in key departments to gain an understanding of their knowledge and comfort level regarding their role in keeping IDG secure. We interviewed our IT Helpdesk staff to get their perspective on the areas where employees could use some security education. We talked to HR, Finance, Tax, and Accounting to understand their concerns.
Based on those results, we developed a custom security education and awareness program to educate our employees in five key areas of security – phishing, password management, data protection, device management, and social engineering. We went the custom route because we wanted it to be IDG specific – incorporating our policies and processes in those important areas.
We rolled out the training and within a month we met our goal of over 99% of our employees completing the course. Feedback was generally positive, and a lot of great discussions have taken place since then about how to improve security practices. We met our initial goal of bringing awareness of security to every employee. Now, we are planning for what the next phase might look like.
What are you doing to educate your employees? Has your organization gone through a similar assessment and security education program? I’d love to hear what your challenges are and what solutions you’ve implemented. Tweet me and let me know your thoughts – @Newkirk_IDG.