Information security awareness mantras from the Apeejay campaign

How do you ensure that 43,000 employees are aware of how information security has to start with the individual? Apeejay Surrendra shows the way.

A company can have the best information security architecture, but if user awareness does not complement it, then all these efforts are wasted. With this goal in mind, the Apeejay Surrendra group started its security awareness training sessions for close to 43,000 employees through a highly interactive campaign in 2009.

The Apeejay Surrendra group, a large privately-owned family business, will be completing 100 years in 2010. It has diversified business interests in tea, hospitality, shipping, real estate, retail, logistics and insurance services. The group has branch offices across metros with its head office at Kolkata.

Apeejay uses robust and scalable IT infrastructure for managing its IT security. It uses Cisco ASA and PIX for two-layer firewall protection. This is supplemented by a Trend Micro solution for virus and malware protection, spam and URL filtering, and other Web security aspects. "Despite such a robust IT setup, we faced information security threats at Apeejay. However, these were primarily from internal users due to lack of awareness about information security and their corresponding roles and responsibilities," says Subhashish Saha, the

Handy security awareness campaign resources
Information security awareness campaigns: Time to make it lively

Employee information security awareness training for new IAM systems

End user Compliance: Creating a security awareness training program

The basics of enterprise GRC project management

group CTO of Apeejay Surrendra. In a particular incident at one of the group companies, an employee was found leaving important business proposal document open. Following this, a survey by the IT team (in 2009) revealed that security awareness was very low among employees across the group. The group has to manage close to 43,000 employees across offices and tea gardens.

Like several other organizations, Apeejay was earlier flexible in implementing desktop security such as controls on peripheral devices, file/folder sharing, printer output management and management of physical papers (and files). The CTO realized that no amount of IT tools could train users to shred unwanted printed material, secure their physical files and folders, or not use a password such as 'Welcome' or 'Apeejay'. "Hence I decided that the only way to protect us from information security threats was to make people aware of the need to take care of their own soft and hard information," explains Saha.

Apeejay decided to address this challenge with a well-defined and planned program for increasing information security awareness across group companies. Some of the primary objectives of this campaign were to explain information security using easy to understand language, with practical examples of current practices followed, to build an information security community having participation from each of the group companies, and to further the cause of information security awareness in the long-term.

PCS was called in as the security consultant to help Apeejay design the information security campaign. PCS was responsible to create and manage the distribution of theme-based screen savers and wallpapers for a period of six months. Another reason to involve a security consultant was to bring in an outsider perspective and get professional help for IT security audits, Saha explains.
Apeejay dedicated a week (August 3-7, 2009), for focused programs on information security awareness. During this week, the company organized group-wide awareness workshops, quiz programs, slogan contests, the sharing of ideas and feedback, and sponsored contests. The content and schedule of the information security campaign was designed by Joy Bagish, senior IT infrastructure manager who also looks after IT security. The corporate communications and HR departments were involved in communicating and organizing seminars across group companies.

The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department.
Subhashish Saha
Group CTOApeejay Surrendra

PCS also conducted key sessions during the information security week, and presented a few recommendations after IT security audits; these were subsequently implemented. Apeejay made sure that the complete program was designed to be participative, and that most of the content came from the users themselves. During the information security awareness week, Apeejay organized contests for both participation and best content. Giving an example, Saha says that the user who created the best poster got an award. He says that 65% of the employee population participated in the quiz, and that it was conducted nationally using their inhouse-developed intranet platform. There were 108 nominations for the slogan contest. On the last day of the week, Apeejay received about 50 suggestions on how an individual user could take care of his security issues. "It was quite an involved program, even the seminars — which are normally not received well — also had 40% of the user population present with several questions and answers," says Saha.
The information security awareness campaign's total cost, which included sponsorship from hardware vendors and OEMs, came to about Rs 1,00,000. According to Saha, the security awareness campaign has been really effective in increasing enthusiasm and involvement from the user community. "The program has helped to make our colleagues understand that information security starts with the individual, and cannot be driven only by the IT department," says Saha.
In order to keep up the momentum, Apeejay organized several subsequent security awareness training camps where information security issues have been handled at the individual level. "During January 2010, we organized an online quiz to check the level of improvement, and felt that information security awareness needs to be pushed as a continuous engagement process," concludes Saha.

Read more on Security policy and user awareness