That was the question that the IISP East Midlands branch tried to tackle recently at its forum in Leicester. The evening gave a chance for information security professionals across the region to get together to network with colleagues and discuss this most important of issues.
Survey after survey from across the cyber-security sector shows the prevalence of cyber attacks that are facilitated in some manner by employees of the organisation that suffers an attack. So it shouldn’t need emphasising too much just how important it is that organisations need to ensure that their employees are adequately equipped to deal with the threat.
After years of analysing what works with users, and more importantly, what doesn’t work, the two speakers at the forum, Jim Shields (Restricted Intelligence) and Geordie Stewart (Risk Intelligence/John Lewis Partnership), were happy to share their insights about what makes people tick when it comes to their habits regarding sensitive information.
Overall they felt it was time that the industry took a different approach – what’s being tried at the moment just isn’t being effective enough. They challenged the audience to take a step back and work out how to engage staff with the right messages on information security.
One of the examples they used was how some airlines had taken a more engaging approach to passenger safety in-flight demonstrations. Take a look at this example from Air New Zealand.
They then challenged the audience to think how this could be applied in an information security setting, which led to a lively discussion. Resources from the evening are now available on the IISP East Midlands Resource Page.
Kevin, as an information security specialist for many years, I unfortunately see the same recurring theme with businesses time and time again, and that’s the failure to implement comprehensive security policies, procedures, processes, and other fundamental initiatives. With so many free and cost-effective solutions available online, there’s really no excuses as to why businesses don’t take the necessary steps for ensuring the safety and security of one’s entire network infrastructure. What’s also frustrating is not seeing comprehensive security awareness training and other basic, fundamental programs, like annual risk assessments, that should be in place for further helping protect organizational assets. There are literally hundreds of sites offering free employee training material. It’s time companies got serious about security and not just profits because data breaches are continuing to grow at such an alarming rate. Think about it, what business do you even have if a significant data breach occurs? Kiss your profits goodbye and say hello to the onslaught of lawsuits sure to arrive.
LikeLike