The secret is making sure that all employees know who they can contact about security issues, he said. Also, through e-mails, screen savers, and competitions, Stimpson brings the organisation's IT security rules in simple doses straight to the desktop.
Many organisations fall down because they try to tell employees too much. "Don't try to tell them everything on a mousemat," was Stimpson's advice. That is why, on screen savers, for example, he puts one simple message which is changed every month.
ABN Amro has an "information security outreach programme" which comprises four parts: information classification (to help staff recognise which information is valuable); how to protect computers (for example, a simple procedure for transmitting confidential e-mails); how to protect the office (eg how to run a secure meeting); and how to protect yourself (eg from social engineering attacks, such as blackmail).
As it has the backing of the board, the programme is well integrated into company processes, such that new employees do not get a system password unless they can answer questions on the programme. It has 32 e-learning modules, and senior managers have to complete 10 of these a year.
Measurement tools identify where the programme needs to focus and reveal changes in the level of awareness throughout the organisation.This has the additional benefit of quantifying the success of the programme for senior managers.