Posted on 27 March 2019 at 2:34 PM by Ger van Hees

From Risk to Resilience and Compliance

Risk is a fact of doing business. Information Security Risk is a part of any business that uses information to do business. (and who doesn’t?)

For all businesses that operate their business using computers, email and internet, this information security risk is as real as it gets and that is why Information Security Awareness is of vital importance. The users should know how to handle the information the business uses to achieve its business objectives.

They should know what to do.
They should know what not to do.
They should know how to protect your client’s information and your critical data.

Businesses operate in different sectors and regions and are subject to different laws, regulations and/or industry standards. Compliance with these laws, regulations and industry standards is very important in order to avoid regulatory risk.

Some examples of regulations and their requirement for security awareness:

HIPAA: “Implement a security awareness and training program for all members of its workforce (including management).

ISO27000: “All employees of the organisation and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organisational policies and procedures, as relevant for their job function.”

FISMA: Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks

PCI-DSS: “Implement a formal security awareness program to make all employees aware of the importance of cardholder data security”

NZISM: “Agency management MUST ensure that all personnel who have access to a system have sufficient information security awareness and training.”

ASD: “User education. Avoid phishing emails (e.g. with links to login to fake websites), weak pass-phrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services.”

It is clear that no matter what type of organisation you are, you will have some sort of compliance requirements.

To meet all those requirements is a difficult task and it could take a lot of time and effort. In my experience, some organisations do something about it, but not enough. They think: “we do the minimum effort and tick the boxes.”

But let’s be honest, just being compliant does not really give you solid information security. You need to foster a culture of information security in your organisation and ensure you have done everything you can reasonably do, to train the users and make them aware of risk, policies, procedures and guidelines.

On top of that there is the requirement of governance over it all. As an executive you must ensure you have done your due diligence in order to protect your critical information. If you are storing personally identifiable information or sensitive financial data, you don’t want to be held liable for not implementing the proper risk mitigating measures.

Implementing a complete and ongoing information security awareness program will help you be compliant, and build and foster that information security culture.

Create a program that addresses information security awareness training to all your staff, from the receptionist to the CEO. Give them bite-sized educational material regularly. A quarterly training moment seems to be a good rhythm. Reinforce the training with additional material like posters that you put up in the premises, newsletters and/or little games.

Additionally, test how the state of the awareness is. We suggest doing a monthly phishing test that offers some additional learning opportunities if someone clicks and an acknowledgement and thanks if someone reports a phishing email. (Without having clicked the link, obviously). Extra tests can also be done. For example with “infected” USB sticks.

Make sure your training and testing generate sufficient reporting that can be used to feedback into your compliance and governance efforts. That way you can prove your due diligence, show you are compliant and monitor and foster the desired information security culture.

Above all, the disruption of your business by security incidents will decrease and your organisation will become more resilient.

The return on investment of an information security awareness program will excellent.

I can pretty much guarantee it.

Reduce risk, check
More resilient, check
Security culture established, check
Compliance, check

The information security awareness program often comes last, but perhaps it should come first. What do you think?