Project 9: Undertake Awareness Programs

Traditional security awareness programs can be effective, but if you want to thoroughly educate your employees you need to involve them. Instead of telling them what not to do, teach them to be "net cops."

According to recent data that profiled data compromises, your team members (as in humans) are twice as likely to notice strange attacker behaviors, security issues, and other anomalies versus automated systems like intrusion detection systems (IDS) and log monitoring.

Teach them what suspicious activity looks like and reward them for reporting it. Some examples of anomalous behavior include:

• Pop-up ads that from sites that have not used them in the past

• The Internet browsers' home page changed without user input

• Web sites that appear to be legitimate but have spelling errors or incorrect logos

• Login pages that have "page not found" errors or just refresh when credentials are entered

Set up incentives for maximum participation. If an employee reports something that appears to be suspicious, place their name in a monthly drawing for a prize.

Give away something different each month. The prize could be movie tickets, gift cards, or a special parking spot. An anonymous submission method should also be considered.

The only preventative topic that should be covered continuously is laptop theft. Educate employees on the business impact and costs associated with lost or stolen equipment.

The majority of them will be surprised to know that the organization not only has to replace the hardware, but also may have to pay regulatory fines and file recovery charges.

Increase awareness by producing short, humorous videos that feature an employee getting a laptop stolen. Include a serious message about how quickly laptops can be stolen and how they should never be unattended.