Feb 16, 2012
Get Users to Care About Security
Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it’s a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. The more they understand—and care—about how their computing behavior affects the company’s security posture, the better off the company will be. Of course, it’s easy to say, “Get end users involved in security.” It’s hard to make it happen. This report offers practical guidance on how to engage employees in ways that can result in meaningful changes to their security-related attitudes and behaviors.
First and foremost, security engagement must be driven by the executives—all the executives—not just the CIO or front-line IT staff. If the CEO and business leaders demonstrate the need to take security seriously, employees follow suit. If executives aren’t ready to get on board, try a wake-up call in the form of a phishing test. Run a simulated phishing attack against your organization and track the number of employees who fall for it. You may be surprised (and dismayed) to see just how vulnerable your organization is.
Next, get employees’ buy-in. The best way is to appeal to their self-interest; the security behaviors and information you provide at work can also be used at home, helping people safeguard themselves and their families from financial fraud, data loss and online predation. Other ways to get employees on board is through direct communication from IT and business leaders. Real-time, in-person interaction sends a powerful message that this subject is important. IT’s credibility also goes a long way to getting your message across. If your IT shop isn’t regarded as a trusted technology partner, you have some ground to make up first. (S4300212)