The first step is to make it clear why security measures are needed: if this is not widely understood, then employees are far more likely to see precautions as an unnecessary nuisance than a business-critical activity.
The message that effective security is a business enabler and a useful sales tool Ė something that inspires customer confidence and can help close important deals Ė needs to be communicated. Unfortunately far too many people are still only aware of what they have to do and not why they have to do it.
Itís also important for people to be aware of the potential cost of security breaches and fraudulent activity that results. Take the UK as an example. The annual cost to industry is around £32 billion with a further £8 billion being spent on fraud prevention. That £40 billion total is equivalent to more than half the annual cost of the countryís National Health Service.
With sums like this involved, fraud prevention and security is clearly a board-level issue and not just something for the IT department to sort out. And that means that top managers need to be visibly engaged in the fight against e-crime.
Itís true that technology can go wrong on its own, but a crime can only be committed if a human being plays an active part. Therefore organisations need to make everyone aware of the consequences of any behaviour that breaches the rules, whether from outside the company or from within it.
For large multi-nationals that incorporate numerous languages and cultures, this is no mean task. Nor is the problem merely one of linguistics and getting lost in translation. Itís likely that most employees wonít speak the language of the security team so the message needs to be free of jargon and tech-speak to make it as effective as possible.
In addition, senior executives need to have a clear view of how far their personal liability extends, particularly with a stricter regulatory regime and greater awareness of the need for exemplary corporate governance. Itís still not unknown for members of the board to regard security as a negative cost centre. They need to be persuaded that it can enhance RoI from all IT investments and boost the bottom line of the business.
Middle managers, particularly those in sales and marketing, also need to understand how an effective security policy helps close deals thanks to greater customer confidence.
The general workforce should also be made aware of risk and encouraged to lock both the companyís electronic and physical doors. There are the obvious measures like checking the alarm is set when they leave the building, and ensuring people donít leave their passwords lying about. But, in our increasingly mobile age, it also includes protecting laptops, smartphones and PDAs Ė indeed any device which connects to the network and which is all too easily left behind.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.