Risks During a Security Awareness Program Implementation
Inappropriate use of storage media containing sensitive information, wrong handling of confidential data or insecure email usage, failure to follow storage requirements depending on data classification are topping the list of security risks any organization is exposed to. In most of the cases this kind of errors are far from being deliberate actions. Negligence, lack of basic knowledge as well as “it can’t happen to me” idea are the catalytic factors for wrong behavior and improper actions when dealing with sensitive data.
It is important that the security awareness and training program responds to the business needs of the organization and it has to be mapped on to the organization’s culture and information security policy. The program success level is given also by the way the users find the subjects or issues presented relevant.
Mindsett Security Your Human Factor Security Partner ...
With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.
Considering the good practices while designing the program and during the implementation and deployment phases, some specific risks are sometimes present and it’s better to address them in the program plan:
Decoupled course content from environmental factors and security policy:
– Use a non-customized or a general approach for all user segments although they are treated differently in the Security Policy.
– Lacking Periodical Awareness checks to measure user response and the way they are responding in different situations.
– Focus on Computer-based training (CBT) as a single form of conveying information. Email alerts, lesson-learned sessions or early SMS notifications have their role too.
– No management commitment for program execution.
– Wrong team set-up and program budgeting i.e. no budget or resource available to support the program in the longer term.
– Missing right decision making for the program may cause bad overall performance.
– No disciplinary policies or procedures to support the program.
– Low quality materials and no yearly updates.
– No integration in the business and high generality Level.
The underlying problem is that security awareness programs are more difficult to implement than most security professionals want to acknowledge. Awareness is a separate discipline that requires the appropriate knowledge, skills, and abilities to implement and properly maintain the program. If you currently have the whole awareness effort done internally, or look for external help, the risks to have a poor implementation or a not having and long-term mindset changing process must be taken into account.