I’d hazard to bet that computer security is listed someplace on every "Top 10" technology priority/concern list on the Internet. Ask anyone who built those lists and the thought of sitting through a technology best practices presentation isn’t a "Top 10" experience. Understand that I’m not advocating skipping security sessions; I just have a grip on reality, and realize the stuff can be extremely boring.
So while we all realize technology security is a priority, nobody has a want to really understand it. What do we do? First off let’s take a simple approach and hit low-hanging fruit with a general security awareness program. Security awareness programs are built to share technology information to the masses without the brain meltdown you often find in detailed security sessions.
Who: Everyone is a potential victim and you’re only as strong as your weakest link. It just goes to reason that everyone should be included in your security awareness sessions. You might be surprised what people bring to the table.
What: Security awareness sessions aren’t meant to be all-inclusive technology security programs. They’re designed to distribute easy to understand security best practices. They should allow attendees to gain knowledge about current threats, share experiences, and ask questions about best practices.
This isn’t a way to beat security terms and acronyms into attendees’ heads; it’s a way to share the basics. Topics like firewall and antivirus configurations are off limits. Examples of topics that should be discussed include but are not limited to phishing schemes, social engineering, and identifying malware.
When: New security threats appear daily. It’s just not practical to hold awareness sessions every time a new threat appears, however, a good technology awareness program does have a recurring schedule. Depending on your industry, you might consider monthly or quarterly security awareness meetings.
Where: Sessions should be held live to allow discussion. Keep in mind that this isn’t a news push, and it needs to be a discussion. If you can’t meet live, you should use online tools that allow two-way communications.
Why: The majority of security breaches occur through simple vulnerabilities and/or internal threats. Educating staff about identifying and combating simple threats will have a larger impact on your technology security than any hardware, software, or consulting plan ever will.
Security awareness programs are a simple, inexpensive, and effective way to combat the majority of security threats. If you don’t have one, you should.
If you would like more information on building a security awareness program come see me at OSCPA Accounting Shows, or at OSAE sessions. Do you work in a CPA firm, association or non-profit organization? Contact me about how I can help you build your plan at no cost to you