Opinion and Analysis
Information security awareness crucial
Posted Wednesday, August 1 2012 at 20:58
Many organisations in Kenya are in the process of making major investments in information technology, applications and other resources.
In order to protect these investments, organisations need to make similar investment in information security, especially employee security awareness and training.
Any organisation that relies on technology, but neglects information security awareness is overlooking a crucial layer of protection.
Local studies have cited insider threats as the most serious information security problem facing Kenyan organisations.
Insider threats are a complex challenge and unfortunately, no single technology will solve the wide range of risks posed by insiders - employees, contractors and partners.
Cases of employees’ ignorance around information security policies, human error and circumnavigating set procedures to ‘get the job done’ are leaving many Kenyan organisations vulnerable to security breaches.
Kenyan businesses need to make sure that employees understand the importance of information security, as well as their involvement in protecting information.
Maintaining a fully-informed, well-trained and security aware workforce benefits an organisation in three ways; prevents misuse of information and harm to company resources; enables employees to recognise attempted misuse of information and resources; and, ensures employees will react quickly and appropriately if information security breaches do occur.
A successful awareness training program should educate users on how to safely use information systems within an organisation’s business environment and how to adhere to security policies and procedures set out by management.
Security awareness programs should redefine the culture of an organisation.
Such a programme requires the dedication necessary to ensure that the maximum number of people receive management’s message, and that it is communicated in such a way that management’s seriousness of purpose is understood.
The benefits to the employee of secure information resources may not be readily apparent, so the message must be delivered strongly and then constantly reinforced: information security is a strategic directive of the organisation.
Similarly, information security awareness must be the result of a programme, not a project. The campaign to create and maintain awareness is open-ended.
Organisations should also consider using employees’ direct managers. Research has shown that security communications delivered by an end user’s direct manager can be more effective than those from other sources.
While implementing security awareness programmes can help organisations achieve higher levels of security, demonstrating the business benefit can be a challenge.