Information Security and Data Protection can be dry subjects; it’s not uncommon to see someone rolling their eyes when they crop up as they can be perceived as blockers towards innovation. Security specialists have historically been seen as ‘no’ people but, honestly, we’re actually people who prefer to say, "yes, but maybe not like that”.
Information Security is much more effective when considered early and embedded into the foundations of any product or process than if it’s bolted on as an afterthought later. Effective controls can then work to enhance features and provide additional layers of protection. If a road surface is cracked or damaged it’s much more effective to the long-term solution to resurface the entire road than to patch it; one good freeze or downpour will cause potholes and inevitably the damage gets worse.
The same can be said for awareness and training. We have an obligation to the success of our business, and to our customers, to ensure all colleagues have a basic awareness of Information Security and Data Protection principles and we therefore provide computer based training for all colleagues at induction and then annually. But, is an annual training course enough? An ongoing programme of awareness is much more likely to turn compliance into habit.
It’s also reasonable to expect that telling people they must do something won’t quite get the same level of enthusiasm as them choosing to do it. That’s why, at TDX, we incentivised this year’s annual information security training by entering everyone who completed it by an early deadline into a prize draw, resulting in a much higher early completion rate than we could otherwise have achieved. It’s too soon to gauge whether this approach will have a better impact on individual understanding, but we believe that if the majority of people complete it of their own volition rather than with their manager standing over them it will make a difference.
Awareness campaigns shouldn’t be about ticking a box or patching that pothole, we should be much more interested in the foundations of our business and by providing regular, consistent messages we can achieve real behavioural change and seek to embed those positive habits.
By Vicky Clayton, Information Security Officer, TDX Group