Security Awareness: Adding a Business Context
Putting security in a business context can help employees be more cautious with their organization’s resources
In my first blog I would like to give my perspective on how to spread security awareness among employees. No matter how geeky an audience is—working in a product-based company, a technical solution provider or service provider—at the end of the day a human is a human. Technology has a role to play, but not everything is dependent on it, those who are using the technology are the prime targets from a bad guy perspective. Look out for the weak spots—human emotions, someone’s busy schedule, etc. are some of the top factors to exploit.
When I schedule a security awareness session or a new-hire orientation, I always start by showing them an image of a laptop and I ask, “What do you see on the screen?” In my last session, the responses ranged from, “It’s a laptop,” to “It’s a laptop with bunch of applications,” “It’s a machine,” and “It’s a system.” I agreed with what they said but then told them why I asked this question: I appreciated each one of their responses and added a context that it’s a business laptop, it’s a business system, it’s a business machine or it’s a business asset.
They told me they never thought this way. The rationale behind framing it in a business context was because it must be used with the utmost care, I told them. If we lose the business laptop, then it becomes a physical security incident; if we don’t pay attention while accessing websites or an email and a machine gets compromised, then it becomes a security incident. Humans play a big role in security and that’s why the human firewall concept must work in an efficient manner.
Security is a shared responsibility and we all must clearly understand that. My example was part of a single slide with the image, which I used to set up the context. I was not out to prove them wrong; I was simply giving them an additional perspective to help them change their thought process.
Right from day one, employees must understand that they may lose their job if they don’t adhere to company policies and put company’s data at risk. As Sun Tzu said in his book “The Art of War”: “If words of command are not clear and distinct, if orders are not thoroughly understood, the general is to blame.” Instructions must be very clear at any point in time—which, from an organization perspective, is the job of the security officer, who is providing the training.
It always boils down to fundamentals and it applies to any field. Fundamentals must be very clear as to what we are doing. Before clicking on a web link, users must decide whether it’s safe to do so. An organization’s culture should encourage employees to get help if a particular link is safe to click—asking peers, reaching out to the InfoSec folks or cross-checking with their respected managers can save someone from making a grave mistake.
Employees must distinguish a business laptop and a personal one. By doing this we are paying full respect to the organization that has trusted us that we will maintain the integrity of company’s data, will not misuse the resources and always abide by the policies.
Staying vigilant, staying secure is the key!
