During World War II, the United States was worried about German spies
obtaining details about shipping routes and schedules to Europe. That’s
when they came up with the security awareness campaign — ”Loose Lips
May Sink Ship”.
It was both a dramatic illustration and held an obvious truth: If you
don’t watch what you say, unintended people may pick up on the discussion
and take advantage of it — maliciously.
I thought of the saying after listening to a very loud person — a senior
executive, I am pretty sure — discuss his business plans with an
associate. Given how he projected his voice when he talked, a person two
rooms down could have listened in, as well, while he discussed what firm
was failing, who they planned to acquire and so on.
In our rush to implement technical solutions for security, it’s
imperative not to forget the role of users and the responsibilities that
go along with it.
There are two parts to this. First, users need to understand their role
in security. Secondly, there must be an on-going awareness campaign.
Responsibility
Employees must understand that in order to have an effective internal
control environment and security, they must play an active role. The
formal responsibility and any specifics need to be outlined in each job
description. The phrase ”responsible for adhering to corporate policies
and procedures” is an important addition. This way the policy and
procedure documentation can be updated and the job descriptions left
alone. The employee should sign and date the form attesting to his/her
understanding of the position and compliance with the requirements.
The next step is to cover the policies and procedures during new hire
training.
Formal classes should cover what processes and controls are relevant and
then the employee should date and sign a statement noting that the
classes were conducted and that he/she attended the training and
understood the material presented. Management should consider the use of
professional trainers to ensure that the lesson plans are correctly
assembled and communicated to maximize efficacy.
Annually, refresher training should be given. This is an ideal time to
cover any new changes to job descriptions, policies and procedures, etc.
The intent is to again formally go over what is expected, hear any
concerns and obtain signed and dated review forms.
Be prepared for questions and objections.
Inevitably, issues arise during these reviews. There needs to be a
defined process to discuss and resolve, when possible, disputes. Note
that standards cannot be infinitely flexible. In some cases, tough
decisions will be made as to whether to support a standard or the person
in question. Trying to do both constantly, while giving concessions, will
make the standard collapse and send the wrong message.
Awareness
The intent of awareness programs is to keep responsibilities and issues
at the forefront of peoples’ minds. It is not a replacement for training
programs, but rather a supplement to training intended both to inform and
remind.
There are a great many ways to enhance awareness. The type of program
followed depends on company culture and resources — notably time and
money. In the same way defenses are layered, consider layering your
awareness programs to try and maximize their reach. Potential avenues
include:
messages en masse. The challenge is just getting the users to bother
reading the email or going to the web page. Consider adding a competitive
element — find the answer to the question and win a prize;
have people bring their own lunches to hear topics that can affect their
lives both in and out of work. For example, discuss anti-virus, privacy,
firewalls, spyware, monitoring children’s Internet usage, etc. Company
specific messages can be interwoven with the topics of personal interest
to the employees;
etc. Like emails and web pages, the challenge is to have employees
actually read the poster and internalize the message;
updates about internal controls and security. The challenge with these is
to try and coordinate the meetings with departments that already have a
full bevy of their own meetings and issues;
departments and attend their meetings on a defined schedule to
communicate updates. For example, perhaps you strive to hit each
department once per quarter, and
good way to get some additional participation. Some groups will offer
gift certificates, a token electronic gizmo, etc. As the challenge and
payoff increases, typically so do the number of participants.
Technology and processes alone are not enough. The user community must be
actively engaged and own the responsibility for internal controls and
security, as well. By working together, the organization can effectively
and efficiently reduce risks. Without the recognized and accepted
ownership by the users, the organization’s internal control environment
and security posture will be compromised.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.
Advertise with Us
Property of TechnologyAdvice.
© 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this
site are from companies from which TechnologyAdvice receives
compensation. This compensation may impact how and where products
appear on this site including, for example, the order in which
they appear. TechnologyAdvice does not include all companies
or all types of products available in the marketplace.