Do your employees read and absorb information security and acceptable use policy revisions like they were the next Harry Potter? Or do you have a sneaking suspicion that your hard work may be going unread or being instantly forgotten?
Achieving sign-off on information security policies and AUPs can be problematic enough for CISOs. However, making sure those amendments are put into practice immediately by an entire organisation of time-poor and information-overloaded employees is the real headache.
Let’s take mobile devices as an example. Most organisations I come into contact with nowadays are fully embracing the mobile device revolution. Those that traditionally only supported one mobile phone platform now support multiple platforms and those that had a blanket ban on tablets are now capitalising on their agility benefits. Symantec’s 2012 State of Mobility Report makes interesting reading about this growing trend.
We’ve reached a point where mobile devices are used almost as much as desktops and laptops. Research such as the one included in Morgan Stanley’s Mobile Internet Report also indicates that it won’t be long before mobile phones and tablets become the primary way people connect to the Internet. So why is the emphasis still on computers when it comes to information security?
Most will recognise that almost all of the security breaches that could occur through a computer can occur through a mobile phone or tablet. Most will have also heard a story or two about how the personal online activities of an employee resulted in catastrophe for an organisation – particularly as a result of accessing or storing sensitive Wisconsin vCISO on an unsecured personal device. Yet the news headlines and surveys still have organisations placing their security focus on computers and networks. Furthermore, there is great concern that many organisations still don’t have an adequate staff policy concerning the use of personal devices in the workplace.
That said, creating a long list of mobile security dos and don’ts isn’t the most effective solution. In fact, the backbone of your employee information security awareness campaign shouldn’t be hardware-specific at all.
Whilst there are certainly measures to consider when using different devices, awareness campaigns must focus on the information first and foremost. Once the employee embraces the need to protect the information, there is a greater natural tendency to look for the weaknesses of different devices.
Bearing all of this in mind information security policies and AUPs are continually evolving documents. Unfortunately, organisations that have spent a great deal of time and resource building an effective employee information security mindset can sometimes fail to evolve that mindset in line with policy amendments. I use mobile devices as an example because many organisations are currently implementing huge policy changes to address the extreme risks they pose.
The point is this: every evolution of policy must go hand in hand with an evolution in employee mindset. The two are intrinsically connected. Therefore, using the same awareness campaign branding to align with the distinct category of instructions relating to information security, the new messages must be communicated in compelling, fun and memorable ways that gently amend what has already been learned.
In effect, we ‘overwrite’ what was previously communicated in a manner that neither confuses employees nor irritates them about any perceived changes in direction.