*By Barbara Moretto
Information Security is undoubtedly a topic of current relevance, as the Covid-19 pandemic contributed to the work home office and the sharp rise in the numbers of cyber attacks.
Investing in Information Security has also become a focus of small and medium-sized companies. However, it is not enough to guarantee only technological investments to reduce the number of incidents in information security. It is very important to strengthen the information security culture, as the user is the weakest link and the most difficult to control.
The main point is to ensure the commitment of the Top Management with the theme. Among the main drivers for the implementation of an Information Security Awareness Program we can highlight:
- Ensure the Confidentiality, Integrity and Availability of information;
- Reduce vulnerabilities and security incidents;
- Favor the company's image and competitiveness;
- Demonstrate commitment to best practices;
- Meet legal, regulatory or audit requirements;
- Focus on the roles and responsibilities of employees.
The requirements for implementing this Awareness Program range from complying with the standards of the ISO Standards – IEC 27001/ 27002 and 27701, as well as evaluating and keeping the Information Security Procedures and Policy updated. These documents must be disclosed and understood not only by all employees, but also by interested parties such as shareholders, customers, partners and third parties.
For the success of the Information Security Awareness Program it is necessary:
- Evaluate the possible restrictions of this project, which could be lack of commitment from users, or the fact of not putting into practice the acquired content and/or the technical difficulty of assuming that help is needed.
- Work the paradigm shift from specific training actions to a more dynamic and targeted Awareness Campaign that can effectively reduce the risk of the corporation in relation to human behavior.
- Involve the Marketing, Human Resources and Compliance areas in the project.
And thinking more practically, what methodology can we follow for this implementation cycle?
- Initiate a current maturity assessment to indicate the topics to be covered.
Usually through questionnaires or other tools (simulation tests, monitoring of social networks) we can understand the level of knowledge of information security and define the priority themes:
- How to keep your passwords safe;
- How to protect your corporate computer and cell phone;
- Social engineering;
- Classification of Information;
- Clean table;
- Safe use of email,
- WiFi networks;
- Safely Browsing the Internet;
- Caution when downloading files or programs from the internet;
- BYOD;
- 2-factor authentication;
- Data Privacy etc.
- Develop a plan that contains the message content, communication channels and the appropriate frequency. Disseminating informative content monthly through:
- Email marketing and Intranet;
- Physical environment (murals, monitors in elevators, reception and relaxation room);
- Internal training;
- Sporadic lectures with external professionals;
- Fun and dynamic materials like interactive games with scores and prizes.
- Perform all delimited actions and then perform analyzes after Campaign Implementation to:
- Measure the efficiency of all these contents used with employees;
- Check what possible improvement actions.
Finally, we conclude that this is an ongoing process of awareness, education and training, in which employees come to understand the importance of the data and information they have access to and their participatory role in protecting these assets.
*Bárbara Moretto is a GRC and Information Security Consultant at SAFEWAY.
About Safeway:
THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!
