Security Awareness - what you need to know

October is American National Cyber Security Awareness Month. There is a great new strap-line of “Protect Yourself Before You Connect Yourself.” It’s all good advice and well worth reading through.

In the UK, there is the government sponsored “Get Safe Online”. This is a useful resource, so long as people know that it exists and where to find it, offering relevant guidance for the home PC user on everything from safety in Online Dating to information about how spyware works. I took the 5 minute personal risk assessment. My result was: “Your results are good. However, you may be able to improve your level of security in one or two areas by looking at the topics in the “Protect yourself” section of this site. “

Even better though on this site is the information for small businesses. The section of corporate identity theft is very timely although could be updated to discuss social networking based risks as well.

I’ve recently reminded my own organisation about the value I place in security awareness information for employees. It’s cheap and it really does reduce risk. The Security Company make the point that

Employees represent the quickest ‘win’ in the battle to make an organisation’s information securely and appropriately available.

A security-aware workforce will provide:

– appropriate protection for all of an organisation’s assets in a cost-effective and efficient manner

– an environment where all staff members are committed to the protection of an organisation’s assets, particularly information in all its forms

– competitive advantage, improved customer service and an enhanced market image as a result of an organisation’s recognised commitment to security

– measurement and compliance techniques to ensure losses resulting from breaches of security can be identified and continue to be reduced over time

Generally the first line of defence, employees can quickly identify a potential breach or a weak link. Just as importantly, security-aware employees can prevent and lower the impacts of incidents when they do occur.

I’m also well aware that running a successful security awareness program that grabs attention and solicits the interest of an organisation is no easy task. David Lacey’s advice is that

You need an eye-catching introduction, a memorable end-line and in between a list of points that must sound interesting despite the fact that though not all of them will be relevant to each reader.

You also need to reinforce the message at regular intervals. A couple of years ago I visited a company in India where every employee had to complete a security awareness training course and exam on an annual basis. They were running competitions for designing posters and offering prizes for awareness related suggestions. The whole desktop computing environment was focused on security and safety, and was taken seriously by everyone from senior management downwards. Too much? I don’t think so. Considering that just about every aspect of our business is reliant to some degree or other on IT, if we can’t or wont promote safe use of the resources that power it all then we’re heading for trouble.

Finally, something that recently occured to me is that there are two things that worry me most about a computer virus. First that my computer will be damaged and second, that my kid will be the one who invented it….

(For this and more very bad computer related humour, go to