What is Information Security Awareness?
Information security involves the precautions taken around information in order to ensure information systems operate as intended and that data is treated correctly. The purpose of rigorous information security is to prevent confidentiality breaches, data losses, and inaccuracies. Additionally, information security ensures that data is available to those who require it – at the time they require it. Information security is the responsibility of everyone who handles data, therefore awareness of security precautions and best practice throughout your organisation is crucial.
What Should Good Information Security Awareness Entail?
A lapse in judgement for a single staff member could result in an organisation-wide information security breach. Therefore, the most powerful tool at your disposal is regular information security awareness training for all staff members. A sound understanding a security principles, covering data protection, cyber security, physical security, and intellectual assets empowers staff members to remain vigilant to potential threats.
Your organisation's policies and procedures should be clear and explicit in stating acceptable and unacceptable behaviours within your organisation. They should be readily available to refer to and all employees should be directed towards them during their induction. Policies should include: personal use of work computers, mobile devices and any other key security areas. Many employees use work computers for personal tasks such as checking personal emails, social media and online shopping, your policy should state the extent to which this is acceptable. The expected use of mobile devices, particularly regarding their physical security and the applications used on them should be outlined. Any ambiguity puts your information security at risk.
Awareness can be reinforced offline through display posters and other literature. These can be displayed throughout the workplace as well as at locations where information security is vital e.g. printers, filing cabinets and waste paper bins.
Awareness of Individual Responsibilities
In order to comply with your organisation's policies it is essential that employees are aware of their personal information security responsibilities. These will differ dependant on job role and should be available for staff to refer to.
Information security is the responsibility of everyone. All 'users' (i.e. employees who use an IT system) must familiarise themselves with their individual responsibilities. Users must:
- Restrict access to systems through proper use of passwords and door codes etc.
- Look after physical/intellectual assets
- Comply with legal requirements
- Promptly report security incidents
- Follow and keep up-to-date with good practice obligations
- Keep PCs, mobiles and removable storage equipment safe when using it out of the office
- Observe organisation policies
Managers are not just responsible for their own information security, but also that of their team. Their responsibilities are as follows:
- Understanding security requirements and how to fulfil them
- Ensuring IT services offer appropriate security support
- Ensuring employees are appropriately trained
- Implementing a business continuity plan enabling information systems to keep running if things go wrong
- Making sure employees comply with law and policy
Why is Information Security Awareness Important?
Implementing good information security practices helps protect your organisation's reputation, safeguard your customers' interests, and fulfil your legal and regulatory responsibilities. Sound information security knowledge and awareness means that your employees are less likely to be caught out by criminals' scams. Unaware employees are inadvertently vulnerable to deception in social engineering tricks, such as phishing scams and other malware. In 2017, for example, around one million Google Docs users received a phishing email inviting them to open a document that had supposedly been shared with them. Following the link gave hackers access to peoples' email accounts, contacts and online documents. The fraudulent link resembled legitimate google pages and saw a vast quantity of users fall into the trap. Awareness promotes vigilance which reduces the chance of your employees falling victim to a social engineering scam like this.
Poor information security practices can result in data breaches, data loss and inaccurate data being produced. The likes of which can lead to disciplinary action from the Information Commissioner's Office (ICO), including fines up to €20 million or 4% of your annual turnover, whichever is greater. Poor information security also puts those you hold data on (such as employees, customers and suppliers) at risk. Affected individuals may suffer loss of rights and freedoms and fall victim to cybercrimes like identity theft. Interruptions to service e.g. through data loss, system failures and security alerts, can be detrimental to business output. Business contingency plans must be implemented to minimise the blow and facilitate operational continuity. As well as fines and direct effects on output, security breaches can result in a loss of public trust and a major blow to your reputation. Lack of knowledge and awareness of a singular employee could result in catastrophic damage to your entire organisation. Given the aforementioned repercussions, this is not a risk you can afford to take.