Do you have a formal plan for educating employees about ongoing IBM i and IT security threats?
This article is excerpted from IBM i Security Administration and Compliance: Second Edition, chapter 20.
A security awareness program is an official or recognized project, typically under the “jurisdiction” of the Chief Security Officer (CSO), that is created for the purpose of educating individuals such as the organization’s employees, contractors, vendors, and volunteers about the organization’s security policies. The education should explain how the policies relate to each individual, and it should be performed on an ongoing basis.
A security awareness program is a requirement of many laws and regulations. But, beyond that, it simply makes good business sense to develop a security awareness program. By training your organization, you are mobilizing your entire workforce to help fight the security compliance battle and help you wage the war against inappropriate use of data.
Security awareness training typically starts the day an employee is hired, a contractor begins a project, or a volunteer starts. This is when the employee portion of your organization’s security policy is explained and the person is required to read and sign it, acknowledging that he or she understands its contents and meaning. Although many organizations take advantage of this initial opportunity, that’s often where the security awareness training stops. Everyone in the organization needs to develop a security “lifestyle.” To ensure that this happens, security awareness training should take place on a regular basis, so that people receive periodic reminders of the organization’s security requirements. They should also receive the appropriate training if they change positions and the requirements of the new position differ from the previous one.
Another reason for ongoing education is because new threats arise, and new technology is developed. For example, when you first started working with email, did you have to worry about users downloading and subsequently leaving unencrypted confidential or private information on their mobile devices? Did you have to concern yourself with whether people were blogging during work hours or inappropriately posting statements as representatives of the organization? Without an ongoing security awareness program, you have no effective way of communicating the requirements of new or updated policies.
Another reason for periodic education is to update those in the organization about new or changed laws or regulations that affect the organization. For example, California expanded its breach notification law to include the loss of email addresses if the data lost also contains the answers to the security questions that are asked when someone loses their password. Privacy laws in Europe are becoming more restrictive in regard to the use of peoples’ private data, how long it can be retained, and the purpose of retaining the data. The expansion of laws and regulations may be known to your compliance team, but unless the rest of the organization is educated, it’s very easy for an organization to unknowingly be out of compliance. Educating your workforce is key in helping detect fraud and other situations that can damage or otherwise put your organization out of compliance.
What Method Do I Use to Communicate?
Because we don’t all learn in the same way, your security awareness program should include all types of learning. Giving security awareness training and tips using audio, graphics, and text will provide opportunities for everyone to absorb the information.
I’ve seen some of our clients use posters to communicate a “security slogan” of the month. The posters are often of high quality, featuring professional-looking images that capture the eye and draw you into the message. Other clients have used a lighter approach; their posters feature a cartoon conveying the message of the month through humor. In both cases, the companies obviously know their “audience” and the type of messaging their workforce responds to. Because messages get stale and people start to ignore them, most organizations change their security message about once a month.
For the technology learner, you can have short YouTube videos that illustrate the security tip or message. This method works well in the high-tech industry and any organization that hires Millennials. For more “traditional” or staid organizations, provide material for managers to present at their next department or team meeting.
As for the folks who read everything that comes their way, you can send out a monthly newsletter. Another approach is to change the network or IBM i sign-on screen to reflect the current month’s security emphasis.
Finally, it’s a good practice to have each employee annually review and re-sign the employee security policy. To accomplish this, some organizations use a secure website on their intranet where employees can read the policy and then digitally sign to indicate that the policy was reviewed. I’ve also seen organizations require management to present the policy to each employee individually or to the entire department during an in-person or online department meeting. Regardless of the method, I highly recommend that you obtain some type of proof indicating that employees received the education and understand the updates and new requirements.
Getting Started with Security Awareness
If you need help getting your security awareness program started, look to the Internet for help. There are companies that provide security awareness training packages—videos, posters, newsletters, monthly security themes, and so on. In addition, organizations that focus on training for security professionals often have online security awareness training courses that you can buy. Both provide good places to start.
Whether you use one of these resources or create your own program, I encourage you to make your training “real.” Provide scenarios that are meaningful to your organization, so that the workforce can more easily relate to the concepts being explained. In addition, make sure you provide the right training for your audience. Talking about data classification and proper disposal of media containing private data will make the manufacturing worker’s eyes glaze over! However, such employees do need to understand that the proper use of social media—that is, whether they can post comments about the company, watch YouTube videos or play online games during work hours, and so on.
In addition to addressing topics that the entire organization will benefit from, it’s important not to ignore the education aspects that should be targeted to a specific audience. For example, I believe it’s vital to educate programmers and developers about the current and upcoming laws and regulations that affect your organization’s data. Engaging these individuals as soon as you’re aware of a new compliance requirement lets them better plan for application changes. In addition, if you see trends—such as the potential for healthcare information to be encrypted—you should warn them that this requirement might be coming. When equipped with this type of information, your programmers and developers can design their architecture to accommodate the requirement should it become law. In addition, engaging them early has the potential to make them feel as if they are part of the information security team rather than having requirements foisted upon them without any input or warning. Most programmers have no interest in security—they feel it’s an impediment to getting their work done. So the sooner you can engage them, the more successful the project will be.