S 2.198 Making staff aware of information security issues

Initiation responsibility: IT Security Officer

Implementation responsibility: Supervisor, IT Security Officer

Many security incidents are not caused by attackers from outside the organisation, but by improper conduct of the organisation's own employees. For this reason, emphasis must be placed on ensuring that all employees possess the information security knowledge they require for their workplaces, that they are able to quickly recognise security incidents as such, and that they are able to take reasonable measures in case security problems arise. Therefore, one of the most important tasks of information security management is to hold events to raise the employees' awareness of the subject of information security. The events should cover the following topics, amongst other things:

• the tasks and goals of the organisation,
• how the tasks of the organisation are supported through the use of IT,
• the threats and risks entailed when handling information and using IT,
• the values of the organisation,
• explanation of the basic principles of information security: confidentiality, integrity, and availability
• the information security policies of the organisation,
• the objectives and contents of the security concept,
• the obligation of the employees and the people responsible for systems and tasks to implement the security concept,
• adaptation of the security concept to reflect new developments and tasks.

Examples of all of these topics should be provided to improve understanding.

Every employee should be familiar with these topics, and it is best to incorporate awareness-raising into the initial training programme for new employees. Since raising the awareness of information security issues is essential for guaranteeing that the security safeguards (which are sometimes considered a nuisance) are actually implemented, it is recommended to hold such events regularly and allow all employees to attend.

In order to implement information security, it is not only necessary to make abstract rules, but also to develop a practical security awareness. As shown by numerous specific examples - such as the damage statistics from electronics insurance companies - damage to IT often simply results from a lack of knowledge of elementary security safeguards. On the other hand, employees can often contribute significantly to preventing damage by taking simple precautionary measures.

In addition to regular awareness-raising events on basic aspects of information security, it is also necessary to raise the awareness of the employees for the security safeguards they need to take during their daily work. The primary topics to cover in such events include the following:

• Appropriate handling of information: secure storage of documents, no disclosure of information to unauthorised persons, precautions to take for transportation, etc.
• Site and system access protection: locking office and server rooms, blocking workstations even for short periods of absence (for example using a screen saver with password protection), the clean desk policy, supervision of people from outside the organisation, etc.
• Data access protection: handling passwords and other access resources (keeping them secret, safekeeping, etc.), rules for choosing secure passwords, etc.
• Technical security: keeping ventilation openings clear of files, clothes, or similar items, avoiding hazardous "pitfalls" by installing devices at the wrong location or laying cables on the floor, only allowing experts to repair electrical equipment and installations, etc.
• Security safeguards when using email and the internet: raising awareness of the fact that unencrypted emails are not confidential (if encryption and signature components are available, the employees must be trained in their use), secure configuration of the internet browser (disabling ActiveX and Java Script, for example), no careless downloading of executable programs, because they may contain damaging functions, etc.
• Malware: explanation of the terms viruses, Trojan horses, worms, etc., surfing the internet is only allowed when antivirus protection is enabled; scanning email attachments for viruses before opening; etc.
• Handling of security incidents: how to detect security incidents, what employees should do, to whom they should report security incidents, etc.
• Legal aspects: basic principles of data protection, no installation of unlicensed software, copyrights (in terms of using material from the internet, for example), etc.

The subjects specified above are just a selection. Events relating to information security should always be adapted to the individual requirements of the government agency or company.

A continuous learning process is necessary to effectively raise the awareness for information security and permanently change habitual behaviour. Useful and continuous awareness-raising measures must be adapted to the working environment and target audience.

To increase the learning effect, it is recommended to regularly remind the employees of information security aspects, for example through email campaigns, posting information in the intranet, and integrating security topics into internal events. Other effective methods for raising the employees' awareness of information security include the following:

• regularly providing information on current basic threats and vulnerabilities, for example
  • IT Security Officer briefed by appropriate information services or
  • staff briefed by the IT Security Officer.
• creating a communication forum to encourage employees to discuss current security topics, post questions, and also illustrate security problems.
• regularly questioning employees on information security aspects, which not only allows an organisation to determine the current level of knowledge, but also to improve it. In addition, regularly questioning employees permits easier detection of information security problems and enables improved implementation of security safeguards (for example: "How often do you back up your data?").
• performing simulations, for example on the effects of vulnerabilities on the specific working environment.
• holding employee workshops to detect any vulnerabilities and identify appropriate security safeguards.
• creation of a security pool in the intranet where employees can obtain information about current information security incidents and possible solutions. Employees should also be informed on how they can protect their IT at home. This additionally motivates employees and reduces the possible number of security problems that may arise when using IT at home.

Initially, programmes for raising awareness for aspects relating to information security have the general effect of explaining information security issues to the participants and making them more open-minded towards information security. In order to ensure their behaviour will change, it is also necessary to establish information security as one of the basic values of the company or government agency. The conduct desired in terms of information security also needs to be evaluated just like any other objective. Supervisors also need to show an interest in information security and provide positive or negative feedback (praise and/or criticism). Supervisors should also act as good role models, and administrators and support employees are important multipliers in this respect. If these groups do not follow the security policies or do not consider them important, neither will the rest of the employees.

Examples taken from or based on the work done daily by the employees should be provided for each topic. This makes it easier for the participants to remember the concepts and put them into practice.

Example:

In one company, a product for encrypting and signing emails was introduced to improve email security. In order to ensure these mechanisms are used reasonably at all times:

• the employees should initially be trained on the effects and mode of operation,
• supervisors should also send signed and encrypted internal emails,
• travel expense reports can be submitted by email, but will only be accepted when signed electronically, and
• supervisors must talk to any employee still sending unencrypted emails nevertheless.

Questions relating to information security must be addressed openly throughout the entire organisation. A trusting and open communication culture is essential so that security incidents are reported immediately and resolved openly. This also includes informing the employees of any information security incidents in the organisation and how the incidents could affect their workplaces. The employees must be informed of information security incidents promptly instead of waiting until the security incidents become public.

Material on information security

Attractively designed promotional material or promotional campaigns can contribute to raising awareness. This includes creating targeted messages and slogans on information security. For example, brief information security messages can be placed on calendars, coffee cups, notes, frisbees, mouse pads, or screen savers to draw the employees' attention to information security issues.

Posters also are an effective way of getting a message across. They should be posted at prominent locations in the organisation, for example in the canteen, in the elevator, and in meeting rooms. The posters should be changed regularly. Posters on information security topics are also available from various manufacturers of security products and suppliers of advertising materials, for example.

Slogans for information security should be simple and easy to remember, and they can even be funny (depending on the culture of the organisation), for example:

• Your security is under threat, if your password's the name of your pet!
• He who has stored his things securely has saved himself a great deal of bother!
• If the content's too risqué, maybe email's not the best way!
• No one can read your data if they can't get into your system!

Furthermore, employees should have access to current information on information security in the form of technical magazines.

When conducting any activities to raise the awareness of employees for information security, do not forget any employees who may not have direct access to the IT such as the cleaning staff or maintenance crew.

Properly explaining the security policies to these people will also help to avoid damage.

Review questions:

• Does the information security management conduct regular events intended to raise the employees' awareness of information security?
• Is the employees' awareness of security safeguards they must observe during their daily routine raised?
• Are the employees promptly provided with information regarding organisation-internal information security incidents and regarding their importance for their workplace?
• Are employees provided with access to current information on information security such as technical magazines?