User education and awareness training are important elements of information security, most infosec professionals agree, but most o alsadmit their organisations are not investing enough in these areas.
This was one of the many interesting revelations at this month’s Rant for infosec professionals hosted by Acumin Consulting and the NCC Group in London.
The topic was social media governance. The reason organisations need to pay attention is encapsulated by US business magnate Warren Buffet, is reputed to have said: “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that you’ll do things differently.”
And since the advent of social media, destroying a reputation has never been easier. Services such as Facebook, Twitter and YouTube are very easy to use. Within an instant, anyone can publish anything.
Add to that the fact that publication is effectively worldwide and, in many cases, cannot be withdrawn or destroyed. Once published, content can live for years online in obscure archives.
One tweet is all it takes, said one infosec professional to general agreement of the assembly who recounted several examples of notorious social media postings by people about their employers.
Social media governance is therefore essential, but someone suggested that the last thing most companies need is another policy.
“What has worked for us, is consolidating as many policies as possible to bring all the key messages together,” he said, in combination with continuous engagement using innovative methods.
Barclays Bank, for example, has used a series of short comedy videos that both entertain and inform. Traditional channels like newsletters and emails are less likely to capture the imagination and encourage better behaviour.
“Keep it simple, but do not expect behaviour to change overnight. It needs to be reinforced continually,” the speaker added.
Social media governance, it was agreed, is about people. It is a long-term process. Infosec professionals need to communicate with users; explain to them the consequences of their actions, and most importantly show them how to do what they need to do in a way that does not pose a risk.
But because social media is accessible to all age groups, it was also agreed that educations needs to start at school. While some infosec professionals said they were engaging with schools, it was agreed that there was room to expand this.
The Rant ended on an interesting proposal: Considering members of the younger generation are “digital natives” perhaps today’s professionals should be looking to them for a solution.
“We should ask these digital natives what they would do to solve the problem,” it was suggested.