Security is a top concern these days no matter how big or small your organization. Even the best technical security measures will fail if a company has a weak security culture. You are seeing more organizations put their time and energy on internal efforts versus relying on technological advances alone. Due to the rise in cyber and ransomware attacks, it's more imperative than ever for companies to rely on their employees and secure even the weakest of links. Below are several elements you can take towards security readiness:
1. C-Level Support
Having c-level support gives you more freedom, bigger budgets and increased cross-functional support. If you've been tasked with leading the security efforts for your organization, obtaining strong support in the beginning will give you the flexibility you and your team will need to be successful.
2. Vested Interest
Involving other departments such as human resources, compliance, marketing and legal can help you achieve the security promises you have put into motion. Typically, it's easier to get their buy-in when you already have c-level support — what we have found is these departments usually have a vested interest in helping and can be of great value. When they see a return in what you're trying to accomplish, they usually make security awareness mandatory and will work along side you to make things happen.
3. Measuring success
A key factor in being successful is the ability to show that your efforts are measurable. In order to do that, be sure to include metrics prior to getting started. If you don't establish ground rules, it's hard to measure what success really looks like. One of the ways you can measure success is by examining the number of security related issues you receive from your help desk, the number of times an employee calls about a computer virus, or by monitoring banned websites via your web-content filter. These and other factors help you measure what success really looks like.
4. Follow the Leader
Can we just all get along? In many instances, the security group gets a bad rap and is known throughout the organization as the "un-fun" group. We tend to view them as the "gatekeepers" and the ones who tell us we can't do something. We all need to take step back and consider why they want us to follow the security rules, both at home and in the office. We all have heard a horror story or two of someone's computer being attacked by a virus — wiping out precious photos and valuable data. When we practice what they are preaching, and follow the leader, it not only saves us time, but money and an aspirin or two. Following these valuable rules is something we can all learn from.
5. All aboard
Getting everyone to jump on the bandwagon and agree to certain practices when it comes to security awareness is not always an easy thing. All too often employees are forced by the very organization that employs them to take various security courses, because it's a requirement. By switching things up and creating a competition of sorts, we can begin to see a shift in how employees approach what was once a requirement and by default end up wanting to do the right thing.
6. Variety is key
Often times organizations rely heavily on computer-based training modules — rarely are they engaging and often times poorly executed. The most successful programs incorporate a variety of awareness tools. When you can get more people to participate, the more success you're sure to have. Try using newsletters, creative posters, games, blogs, simulations — you get the idea.