Is IT security getting the attention it deserves in your organization? With the rise of remote access and cloud-based services, IT security has become more important than ever before. Everybody’s online and we all want to access our work anywhere, anytime. The truth is, IT departments just can’t control all actions in the digital world anymore. In the following editorial, IT professional Mark Herrewijnen speaks about how you can make sure everybody does their part to keep your organization and its data safe.
What’s so important about security awareness?
IT departments always do everything in their power to keep the IT infrastructure safe from potential threats. They try to limit the network and can keep a close eye on it, but you’ll never be 100 percent secure, 100 percent of the time. You can also invest a lot of time and money into training other employees in exact procedures and checklist for using the network and dealing with threats, but that doesn’t mean that they won’t make mistakes.
What you really need to keep your digital environment safe is people who are vigilant and able to recognize threats. In other words, you need to make sure employees are aware of IT security risks and willing to do their part. This doesn’t mean that all employees need to know exactly how to resolve these problems. They simply need to be aware that threats may occur and that they should notify IT if they come across risky situations. So awareness is a simple step towards a safer digital infrastructure.
If I work in IT, how can I get security awareness on the agenda in my organization?
There are basically two ways to go about getting IT security awareness on the agenda. The best option is to promote security awareness with managerial staff, starting with your own IT manager. If they’re convinced you’re on to something here, it’s much easier to get them to participate in an awareness program. Point out the benefits to the business. Having excellent IT security policies can make your company very attractive to potential customers, and being tech-savvy means you’re keeping up with the times.
The path you want to avoid is one where security awareness is triggered by something going horribly wrong. It’ll get the issue on the agenda, but most likely other departments will simply say “IT, this is your area right? Can you go and fix it?” That’s not the scenario you want. First of all, this approach gives little opportunity for preventive measures. Since other employees don’t have the tools to recognize dangerous situations, a lot of damage can be done before anybody realizes what’s going on. Besides that, fixing major security issues takes a lot of time and effort that could be spent more efficiently. There will always be incidents for IT to solve, but making people aware and empowering them to avoid dangerous situations can save a lot of time and money.
At TOPdesk, we as a department decided not to wait for big problems, so we started initiatives to inform our colleagues about IT security. This establishes a kind of mutual trust between us and other employees. They trust that we provide the right information and that what we ask of them is actually relevant. And we trust that they keep an eye out, don’t take unnecessary risks and inform us if they have any problems.
And how do I get all my colleagues on board?
If IT security awareness isn’t getting the priority it deserves, point out the potential consequences of bad security. Major data leaks are incredibly damaging to the company’s reputation, because customers need to be able to trust you with their data. If you end up on a list of companies with security issues, the financial department is going to notice it in turnover. So if you want to improve attitudes towards IT security awareness, you need to talk about the scary stuff too. But be realistic. You could go on a spending spree and get the best security money can buy, but what you need is the right balance. The important thing is to reduce risks to an acceptable, manageable level. Basic awareness among the rest of the staff is often a big step in the right direction.
Nobody wants to be responsible for damaging the company’s reputation because they were careless with data, and nobody wants to be forced to call their customers because they left a laptop with important information in a taxi. People will still make mistakes, but with this approach we’ve noticed people are more likely to come to us right away. And they know we won’t be angry. We may say we’re a bit disappointed, but even that we don’t really mean. Nobody’s perfect, people forget things. We can manage risks like that as long as everybody’s honest about them.
Once I have the organization’s support for our IT security awareness goals, what’s the best way to get there?
The right security awareness strategy is different for every company. If you want to keep things informal, you can provide short training sessions and present information in ways that are fun and light-hearted, but still get the message across so people will remember. It’s definitely a good idea to provide training to all new employees in their first few weeks on the job. But there are other little things you can do, such as putting up a simple, attractive poster with the basics so people are reminded of them regularly. Sending the occasional email to remind people to be vigilant can also be very effective, but keep it short and to-the-point. Essentially, do what’s needed to keep people aware, but don’t distract and annoy them with a constant flow of information.
How can I see if my approach is paying off?
People tend to think that if there are fewer incidents, their approach towards IT security awareness is working. But we’re noticing something very different. If there are no incidents, that doesn’t guarantee that nothing is going wrong. There could be other reasons why the IT department doesn’t hear about problems. Perhaps people are just hesitant to admit they made a mistake.
Or, if security awareness isn’t high on the agenda, many employees may not even notice security risks. Since we made a point of creating awareness for IT security, we’ve noticed that people have started coming to us more with questions about various situations. This seems like a lot of extra work, but it’s actually what we wanted. We’d rather get ten false alarms than miss one high-risk threat. The fact that people come to us means that although they don’t know exactly how to handle the situation, they identified a risk and trust the IT department to make sure things don’t get out of control. If everybody is aware of threats and knows who to go to if they encounter them, you don’t need to train everybody to solve every security issue. You just need to make sure the risks don’t go unnoticed.