A security awareness program is a way to ensure that everyone in your organisation has an appropriate level of knowledge about security, along with an appropriate sense of responsibility. With the recent reports from Prime Minister Scott Morrison on cyber attacks on businesses across Australia, now is an important time for businesses to readdress the importance of Cyber Security.
What is Cyber Security Awareness?
Cyber security awareness is the knowledge that individuals authorised to utilise a business’s computing environment share the responsibility to protect the computer system and the data stored there.
Cyber Security Awareness refers to the personal responsibility each employee assumes for ensuring:
- The confidentiality and integrity of private data.
- Timely and uninterrupted availability of your business’s resources for all authorised users.
- Your business’s IT systems are protected from the potential of fraud, waste, and abuse.
Australian privacy laws are contained in a variety of Commonwealth, State and Territory Acts.
The “Privacy Acts” are data protection laws which regulate the collection, use, and disclosure of personal information about individuals; they do not protect the privacy of the individual in a broader sense.Your business is also required to comply with a variety of other legislations, containing privacy protection provisions relevant to particular types of entities and/or practices – for example:
Building Your Program
Security awareness programs are important because they reinforce that security is the responsibility of everyone in a business, not just that of a security or IT team.
The first line of defence in any security stance is your controls: “How we enforce security ‘best practices’ and prevent successful compromise”
Breaches of your systems can include loss or misuse of portable storage devices with your organisation’s data, computer log evidence of unapproved downloads, or access or use of data by unauthorised persons.
The second line of defence is detection: “How we can catch attacks or attempted breaches, or how we know whether our controls are working.”
Antivirus software plays a very important role in keeping your organisation’s devices safe and secure from malicious threats and vulnerabilities.
The third line of defence is your people: “How aware they are of security and what are they doing to avoid being a weak link.”
Ensuring the third line of defence is solid by educating and training your teams and by providing them with the tools they need to do the right thing day in and day out, you are arming them to protect your business along with protecting themselves. Start early with your employees – begin during induction and cover all security protocols and policies in your training, along with reporting incidents and after incidents communication with our customers in the event of a breach. (You can find more information on staff training by reading our Online Learning blog)
Building a Policy:
Having policies and procedures documented for Security Awareness and Electronic Communication for your organisation is an essential step in reinforcing and clarifying the expectations and responsibilities your business has of its employees. An effective Policy on this subject should include:
- Referenced legislation.
- The purpose of the policy and why the policy is important
- Who the policy applies to.
- Clear and accurate definitions of terms used through the policy
- Employee obligations and responsibilities under the policy
- What happens when the policy is breached
If you do not yet have an Electronic Communications or Security Policy in place in your organisation, we have provided a downloaded policy template for your organisation below.
Combining Cyber Security and Physical Security Efforts
Making sure your online data is safe is only part of what your business needs to do to build a Security Awareness Program. Security for your business needs to be a combination of physical and cybersecurity efforts.
Physical security is the protection of people, property, and physical assets from actions and events that could cause damage or loss. Though often overlooked in favour of cybersecurity, physical security is equally important.
What Can You Do to Ensure Physical Security is Protected?
- Implement a Disaster Recovery Plan (DRP) that defines how your business will recover from a disaster.
- Provide keyless entry access to your premises to allow the tracking of entry and exit of individuals. This will ensure that access to those who would harm your staff or business is as limited as possible.
- Ensure employees gain approval in advance if they need to access the premises outside of standard hours.
- Install wireless security cameras to allow you to see, and record activity and review if there is a breach.
- Ensure the exterior of your premises is illuminated with motion sensor lighting to ensure that staff entering or leaving the building after dark can see any potential obstacles or dangerous individuals.
- Maintain a foliage-free entry to reduce the chance of individuals hiding there, thus protecting staff and minimising the ability to gain unauthorised entry into the premises.
- Conduct random audits of the security, re-position cameras, and change passwords to protect your business and staff.
- Do not ever share your password/code with anyone inside or outside of the business.
The need to embrace new and emerging technologies when conducting business and fulfilling your business objectives is inescapable. However, it also brings with it an obligation to manage the risks associated with the use of these technologies in a coordinated way to build a legacy of dependable precedence and encourage consistency.
To see further how dita Solutions can help you implement effective staff inductions that provide quality training on Security Awareness and Electronic Communications, contact us here.
Download Our Free Policy
Download our free and customisable Electronic Communications Policy. Our Policy provides clear guidance to help you get started with implementing this policy for your business.