No matter the industry - healthcare, higher education, government, infrastructure, etc. - every organization should have a defined user awareness program. Such a program may involve the sending of emails, publishing guides, creating posters, and dissemination by other communication means. Yet most, if not all, organizations still have issues based on improper employee response or action related to information security. No matter how good technical security controls are, the user is the weakest link.
I propose a new approach to employee education: Hyper User Awareness. Hyper User Awareness takes educating employees on appropriate action and response regarding security practices within an organization to the next level.
To illustrate what this means, I'll use a personal example. Late last year, one of our pets did not come home. Our family did what we thought was appropriate. We posted fliers on nearby street signs, searched the area and alerted neighbors via phone and email. All of our activities were to no avail. After about a week, we decided to bring in a professional - a pet detective. (Yes, they really do exist.)
Along with years of experience locating lost animals, the pet detective brought in a new strategy to raise awareness of the lost pet in our area. The fliers that we initially hung looked like postage stamps next to the posters he had us create. He attached these new, huge posters to his vehicle, a black truck with Pet Detective unmistakably emblazoned on all sides. He parked his truck at strategic intersections during busy traffic times. He placed fliers on every street sign, stop sign, and vertical public surface he could find within a specific radius of our home. Additionally, the pet detective employed techniques for tracking that we had no experience with.
Within 24 hours, we got a call from a neighbor that lived within the pet detective search radius saying her kids were outside playing with our pet. Without the extensive use of awareness materials in a non-traditional, hyper fashion, our pet might still be missing. How many times have you driven past a lost pet sign and not bothered to read the details? How many times have you walked past an information security awareness poster without reading it? And if you read it once, did you ever stop to re-read it or think about the message again?
The poster in the hall won't do it. The quarterly email to all employees won't cut it. The yearly distribution of an information security awareness guide won't be read. The annual or bi-annual awareness training won't be remembered. What you need is Hyper User Awareness - an in-your-face approach that never lets employees forget that they are the most important aspect of securing the company's critical information and protecting the workforce.