The increase in popularity of automation and mobility among Indian organizations brings into the picture newer and more sophisticated security attacks. Today, it is common to find unaware users who have fallen prey to various security attacks, and thus caused tremendous losses to the organization. Hence, information security awareness training has gained enormous traction in Indian businesses.
This is why IT leaders like Umesh Jain, the chief information officer of Yes Bank, believe that the ultimate aim of an IT security awareness campaign is to make users understand the company's security policy and to check whether they unfailingly adhere to it. "You can have the best of information security architecture, but if the user awareness is not complementary to it, then all of your efforts go down the drain," Jain says.
So what are the key ingredients when it comes to a successful recipe for security campaigns?
Thumb rules to design security campaigns
When designing a security awareness campaign for users, it's essential to adapt it to your target audience's lowest common denominator. Organizations can adopt the "keep it simple, stupid" principle on this front.
Apart from simplicity, it's important to realize the importance of organizational data in its various forms. "Your company should remember that the information to be secured is present not just on your systems. Critical data can also be present on desks, drawers, pinup boards or with users (in the form of passwords)," Jain says. The information security awareness campaign must classify and then encompass all of these areas where security breaches occur.
Ensure that users are in tune with the training's core objectives. This is possible only if information security awareness campaigns are of interest to the user.
The essential ingredient for inducing active user involvement through creative means is a campaign such as the Indian automotive leader Mahindra & Mahindra's (M&M) "Project Suraksha." Such campaigns serve as popular role models among the IT community for their successful implementation and creativity.
"We have inculcated information security awareness as a way of life at M&M. Focus on change management is the most important aspect while designing such programs," says Arvind Tawde, the chief information officer of M&M.
Tawde feels that information security awareness programs should be interactive and participative in nature. "They can comprise prize-linked quizzes, mock-drills, group activities and sharing the results of surprise audits (captured as movies). After each program, we conduct a short survey and take user feedback to enrich the program's content in the future," Tawde says.
At M&M, user training is conducted at two levels. The first training level focuses on security breaches and the hazardous nature of such breaches. The second level details various steps required to prevent such breaches.
The importance of implementers of the information security awareness program is yet another critical aspect. This is why Rajendra Sawant, the chief information officer of Adventity Global Services Pvt. Ltd. stresses the role of implementers of the awareness program. "Ensure that the training of employees is carried out by personnel who have significant security responsibilities. They must understand the concepts and strategy of the security awareness and training program. These personnel should also be informed of the progress of the program's implementation," Sawant says.
Today, organizations have become extremely open and interactive. At any point in time, companies have several external entities accessing their IT infrastructure. In such a scenario, should the security campaign extend to external entities?
The answer is yes. At Adventity, temporary workers and contractors undergo security training prior to being given access to information systems. They have to sign user acknowledgements that state their understanding and compliance to Adventity's security policies.
Role of HR and senior management
Every organization's human resources (HR) department plays a crucial role in ensuring the success of a security awareness campaign. HR policies need to reflect the organization's seriousness about its approach to information security.
Sawant feels that the HR team should ensure that all employees have signed a user acknowledgement that they have read and understand the security policies. This acknowledgement should also capture the fact that the user agrees to abide by the security policies. According to Jain, the 'chanakya niti' of 'saam-daam-dand-bhed' (influence, reward, punish, divide) is the best way to deal with flippant user approaches toward information security awareness campaigns. "There should be rewards, penalties and punishments built into the system. I know of several organizations where your services can be terminated due to breach of information security policies," Jain says.
Business leaders and senior management have a huge role to play on this front. A top-down approach guarantees more respect and sincerity from employees. "More often than not, the deeper issue is that of a business leader's view that information security is very easy to attain. This results in the team members taking a casual approach towards the entire campaign," Jain cautions.
Measure campaign effectiveness
After the information security awareness campaign is rolled out, it is important to verify the initiative's success. Companies can use several types of metrics to measure the effectiveness of campaigns.
Quizzes, security incident reporting, reports of policy violations, audits (monthly and annual) and clean desk audits are some of the common ways to measure the campaign's effectiveness. Many organizations also monitor Internet bandwidth usage for business and nonbusiness activities as part of this exercise.
Besides these methods, Tawde suggests conducting spring cleaning and health checks. They should be part of an annual activity to clean information assets at an individual level and confirm adherence to best practices.
"Mystery shopping is yet another way of measuring the security awareness campaign's efficacy. For example, try and see what happens if a manager cajoles his team member to share his password," Jain says.