There are many great websites that provide generic best practice information security tips for the workplace. However, employers need to be aware of two major risks of asking employees to rely on them for their security awareness.
The first risk is making sure that your employees visit one of the good websites, rather than fall foul of one of the ‘lesser’ sources. Simple enough to solve – send your staff an email of the information security websites that you approve of. Job done!
The second risk isn’t so simple to address. Your organisation is unique, with its own specific processes, procedures and information types. It may even draw unique cyber threats that other industries and organisations don’t have to contend with. Unfortunately, any best practice that your employees draw from generic security websites is unlikely to be fully applicable to these unique aspects of your organisation.
For example, generic websites can talk about the dangers of phishing, but they can’t talk about the specific dangers of spear phishing attacks that are unique to your industry or organisation. Generic sites can talk about how ‘sensitive information’ should be encrypted when copied onto storage media or transported on laptops, but they can’t define what ‘sensitive information’ means in the context of your organisation.
Benefits of the specific source
Many organisations are addressing this second risk by bringing the source of security best practice in-house. This ensures that employees have fast access to a comprehensive portal that covers the breadth of required information security awareness. In most cases this is achieved by way of a distinct information security micro-site held within their existing intranet framework.
This delivers the immediate benefit of allowing you to tailor all information security best practice to your organisation, making it fit for purpose for the work your employees do and the way that they do it. The types of information can be discussed within the context of the organisation’s own information classification system. All handling procedures can refer specifically to organisation processes. The unique risks of the industry or organisation can also be addressed, with relevant real life case studies providing additional weight.
Compiling an in-house resource also provides many other advantages. The content can be re-tasked for your employee information security awareness training sessions. It can also become the central information hub from which organisation-wide information security communications campaigns are run. No matter how campaign messages are conveyed to employees – whether by posters, presentations, plasma screen animations or quick-guides – the information security micro-site is always cited as the first port of call for further information.
Building an information security portal
Naturally there are many factors that contribute to a successful information security portal. Two key priorities are to plan a clear information hierarchy and aim for maximum build flexibility.
Getting the information hierarchy right plays a huge role in dictating the success of the project. If users have trouble finding what they want to know, you run the risk that they’ll try and find it on a web search, which takes them outside your control. Information security is a complex topic, and a clear information hierarchy not only makes it easy to find topics, it can also help employees to see how all the various topics inter-relate. This can make the entire subject seem much more mentally accessible and therefore easier to employ.
Build flexibility gives your site the longest possible shelf-life and makes it a highly versatile communications tool. Like any website, users are encouraged to return if they feel it is a dynamic source of valuable information. For example, home page flexibility in particular can allow you to tailor it to specific information security awareness campaigns. You should also ensure that the clear information hierarchy takes into account that the site will grow over time. For example, as new threats emerge or as new processes are introduced to the organisation.
Before embarking on a portal project, it’s a good idea to ask a cross-section of your employees what they would like to see and what would help them most. Although many will almost certainly provide generic answers, look closely at the way they are responding. This is an excellent opportunity to test the temperature of your organisation’s attitude to information security. If a large proportion of your staff members have no opinion, it could indicate that they aren’t that interested in handling their work securely – something that certainly needs to be addressed.