How CIOs promote data security awareness in the workplaceCIOs are not only challenged with protecting company assets but also tasked with creating a security awareness culture. CIOs need to teach employees how to safeguard against the security risks faced on a daily basis so they can handle any issues that may arise.

There are a number of ways you can create a security conscious culture:

1. Provide data security training to end users

Your employees are your biggest asset but they are also your security chain’s weakest link. To ensure employees are on board, you need to educate them on how everyday tasks and ways of working can put the company at risk. Have they read your data security policy and do they understand it?

The most effective way to train staff is to educate them face to face or via online programmes. Use real examples that employees can relate to. There are a number of important subjects that you should be covered within a data security training plan:

a) How to create and keep passwords safe

b) Overview of what data security means and how it affects employees

c) Importance of using passcodes on portable devices

d) What to do if they receive a suspicious email, find a virus or malware or if something strange happens on the computer

Your employees need to know how sensitive data should be controlled, how it should be handled and who should have access. You also need to make them aware that there is more to protecting data than security software. Staying safe online is becoming a bigger challenge for IT departments. With ransomware and malware attacks on the rise, using a layered approach simply isn’t enough. Employees need educating on how to spot and prevent these attacks from occurring and that it’s not just the responsibility of the IT department.

With the rise in bring your own device (BYOD), the onus on employees to protect company assets has never been bigger. Your employees should not only understand the importance of encrypting their devices but how to encrypt them properly.

2. Implement a clear desk policy

Companies tend to focus on their online data and forget the volume of offline data that surrounds employee’s desks each day. Implementing a clear desk policy helps prevent the leak of offline data.

Consider what should be done with hard copy data that is no longer needed. Does it need to be filed or shredded? If it needs storing or shredding, you’ll need to provide the equipment to do this.

An area that requires further consideration is ‘hot desking’. The very nature of hot desking means a number of people are sharing desks and may see confidential information if not protected. This poses further security risks. 

3. Conduct regular security checks

Despite the fact that you invest time, money and resources into providing employee data security training, there will inevitably be employees who neglect to follow the rules or misunderstand the guidelines.

4. Monitor

There is little point in enforcing rules and procedures if no one is going to monitor the effects. Conducting regular assessments and spot checks ensure that employees know that these processes should be followed. It also provides a good opportunity for you to identify those who aren’t following procedures and provide them with further training.

It’s important to remember that not everyone is programmed to consider security first. Security awareness is about educating employees and about changing their behaviour and attitudes towards data security.

5. Launch an Attack

A great way to grab attention is to launch a simulation attack. Trilogy uses Sophos Phish Threat which integrates testing and training into simple, easy-to-use campaigns. These campaigns provide automated on-the-spot employee training. It’s a very effective way of capturing the attention of your people combined with effective training.

By John Casey - Trilogy Technologies.