So far, we have seen that the biggest vulnerability to security is the human element: namely the workers at the company. We saw the Johnny Long’s video “No Tech Hacking” point out numerous examples of people who let their guards down and left their companies vulnerable to hacking. Obviously most people are “trained” at some point about the security threats that are out there, but to successfully defend against these threats, more effort is needed: namely a “culture of security” within the company.
As the default IT security managers (because all things computer related will be our fault if they fail), we have to be the primary cheerleaders for computer related security. We have to impart the importance of computer and physical security to top management AND get their support in policy AND their buy-in for policy execution. Having the boss sign policy letters won’t do much if they appear to be personally exempt from policies. It won’t set a good example for the underlings (monkey see, monkey do principle). It maybe uncomfortable tactfully telling the boss what to do, but remember that is what is what they pay you to do. Hopefully, if the boss(es) follow the policy, then it will trickle down to everyone.
Just because the policies are out there and people have been trained, constant reinforcement is still needed. If you see infractions to policy, correct it on the spot (tactfully if it is one of the bosses), and let the errant coworker the rationale behind the policy. Also ask the errant coworker to help the company out by correcting anyone they see making similar mistakes. If you can get coworkers helping to promote computer related security, you are well on your way to creating a self-sustaining program where you don’t have to do all the work.
Just because coworkers are policing themselves on previous policies and threats, the work isn’t over. You should try to research computer security threats, and inform coworkers (in laymen terms) any threats that have evidenced themselves. Fliers on bulletin boards (or in the bathrooms) and e-mails work to get the info out to many people in a short period of time. And don’t forget to add these threats to recurring training sessions.
It is lots of work, but if it is your job to be the IT security person, you’ll need to create a “culture of security” within the company. It will be a tough job to be the cheerleader, but think of the repercussions: information lost or damaged, money lost, customer or employee data stolen, and possibly your job lost. Being recognized as the “kooky computer security person” when you walk down the hall will at least get the coworkers to think about computer (even if it is just for a minute each day). I guess that is a small price to pay to keep the company (and my job) safe.