Many organizations compartmentalize Information and Communication Technology security by restricting its function to the IT department.
A crucial component of information security is the user or employee. Employee sensitization is important because no matter how good the procedures are, employees are usually the weakest link and provide vulnerable access points.
The use of personal memory disks and external hard drives poses a threat to an organization’s information system. Employees also download unsafe programs onto work computers and in the process disable systems designed to protect them.
Virus infections are a potent threat due to the exchange of unauthorized files through a company’s network. For instance a traveling salesman uses a company laptop that he works from when in the field. As the laptop is only infrequently connected to the company’s laptop, its anti-virus update is bound to lapse. When the salesman returns from the field and connects it to the company intranet a virus can be spread before the latest update can be applied.
Employees as a baseline should receive Information Security Staff Handbooks and should sign acceptance of corporate policies and acceptable usage conditions. However, these documents are not very effective and should be supplemented by other initiatives.
These can include the following. Compulsory information security training for new staff using mixed media such as computer based training, video and PowerPoint formats. Security awareness should also be conducted to all staff, newly joined or existing, so as to understand the importance of information security and their individual responsibilities.
Employees should also be supplied with security awareness materials such as intranet pages, brochures, posters and identity badge clips with security messages
Annual mandatory testing of Information Security awareness along the lines of training and time constrained examinations should be conducted.
Regular news bulletins should be given to staff about the importance of information security particularly when security breaches make news.
Employee action, deliberate or accidental, can potentially result in serious information security issues such as virus infections. Staff should be provided with education on the firm’s Information Security Policies and Procedures constantly.
The key to success also depends on the commitment of senior management to funding, developing and implementing security awareness among employees. Delegating this function to middle managers is not sufficient. Senior managers should also address significant deficiencies immediately and demand constant monitoring of the company’s security infrastructure.