Data is a company’s most valuable asset but just how safe is your corporate data? Do you know that according to a study in the US by Symantec and the Ponemon Institute, 59% of employees take confidential corporate information with them when they leave their jobs?
Data leakage is definitely a real threat facing organizations today, whether it's caused by theft, internal breaches or simply due to broken business processes. With the current economic downturn resulting in downsizing, layoffs, and possibly reduced IT staffing, there is increased pressure to turn customer data into money, but fewer internal resources to police use. Employee behavior is often linked to data breaches, and insider threats may increase as economic pressure rises.
In the current uncertain economic climate, it pays to ensure employees are more security-conscious and proactive in protecting an organization's valuable data. According to Symantec’s Dale Smith, director of Education, Asia Pacific & Japan, most data loss incidents are preventable, using a combination of data loss prevention (DLP) technology, policies and employee education. Training and awareness programs help educate employees on careless and dangerous work behavior that can lead to security incidents that can impact an organization’s brand or cause major financial loss. Ultimately, employees remain the strongest defense in protecting an organization’s information.
To address this need, Symantec recently launched its latest version of the Symantec Security Awareness Program, an employee training program designed to help organizations build a more security conscious workforce. The Program aims to help customers in Asia and around the world minimize security risks, protect sensitive data, avoid security incidents such as data breaches that compromise their brand, and meet growing compliance and governance regulations.
Sold on a per-user license basis, the overall cost of the Program varies based on company size. Symantec provides flexible content customization services to tailor the program's content to a company's specific needs. The length needed to complete the program will depend on the individual company's training needs.
For individuals, Symantec has streamlined the program so it can now be completed in 90 minutes, allowing organizations to train their employees on security while causing minimal work disruption.
Emphasizing the need for such a Program, Smith says, “Having the technology solutions and processes in place is a must, but organizations cannot neglect the human aspect of security. Most security incidents aren’t the result of malicious intent, but rather inadvertent mistakes and misunderstood policies. All it takes is for one person to cause irreparable damage to a company’s data, systems, operations, reputation and financial standing. While there are a variety of sophisticated security technologies to help protect proprietary information assets, technology alone cannot secure the enterprise.”
He continues, “As the current economic downturn may impact IT staffing, employees will continue to play an important role in protecting an organization’s information. Security awareness training creates a more security conscious workforce that can be proactive in protecting an organization’s valuable data. Education and training play a role as an organization’s workforce must understand information security issues and behave in a manner that minimizes risks.”
The Program provides comprehensive web-based training and communication tools to help companies meet any regulatory requirements specific to employee security awareness training. At the same time, vulnerabilities can be reduced through the creation of a more security-aware workforce. “The program is designed to not only increase security knowledge and understanding, but also to influence appropriate employee behavior at all levels of the workforce,” explains Smith.
“Thus, our Program enables organizations to improve their security by giving employees the knowledge and understanding they need to better protect valuable information assets through proactive, security-conscious behavior,” Smith adds.
Features included in Symantec’s Security Awareness Program Version 3.2 are:
- Improved user interface with more graphics for an enhanced user experience, with new interactive exercises to better engage users in their learning.
- Searchable transcripts which allow users to more quickly search and review key topics easily.
- Updated communication tools to address multiple communication medium to promote knowledge transfer and information retention.
- Customer reference links, allowing organizations to link to their own security policies, procedures and other relevant information. This link can be easily customized by the customer.
- Sample pre-assessment surveys that allow customers to establish a baseline of their employees’ information security knowledge.
- Symantec Online Syndicated Content to help organizations create a unique touch point for security information on their own website. This feature allows customers to include Symantec syndicated content directly on their own website to educate users on the latest virus alerts, threats, tips and tricks, Questions & Answers segments, Articles of the month and more. Customers can choose which content is relevant to their organization, with the advantage of having the content automatically refreshed, without any action on the customer’s part.
- An optional Payment Card Industry Data Security Standard (PCI DSS) module is designed to address the growing demands around storing customer financial information. This module will help organizations train their employees on the types of information that need to be protected, and the requirements that must be enforced any time a credit card number is stored, processed or transmitted.
Commenting on the key features of the new version, Smith says that organizations have the option of choosing the standard web-based training content or customizing it to meet their specific needs, such as branding the content with their logo and company name. “Organizations can reference their own security policies, procedures and other relevant information, to give their employees a better understanding of their internal policies and security guidelines,” he adds.
The Symantec Security Awareness Program supports a risk management approach. The web-based training is structured in three phases to help employees understand their roles in protecting company information and assets, and includes an assessment portion at the end to ensure proper understanding of the training.
- Phase 1: Understanding what is information security, why it’s important and how everyone is responsible.
- Phase 2: The reality and awareness of threats, viruses and countermeasures, and hackers’ objectives and techniques.
- Phase 3: Applying best practices to everyday tasks.
“With this phased approach, the Program allows an organization to put the controls in place to remind, refresh, motivate and measure best practices learned, which is essential to the success of any program. Security best practices must become a habit incorporated into one’s daily tasks. The Symantec Security Awareness Program supports this process to help influence one’s attitudes and behavior,” Smith notes.
He believes that the greatest value provided by Symantec’s awareness program is “our expertise which is derived from a broad base of information security knowledge, including real-time analysis of emerging security threats and vulnerability data, and business consulting that addresses risk management and security program needs for global clients.”
So where does Asia stand when in comes to security awareness? Smith says that security awareness differs from market to market across Asia as it depends on how developed their IT infrastructure is. “In growing markets such as Vietnam, Indonesia and the Philippines; they are first making sure that they have the basic protection necessary though the deployment of antivirus, anti-spam and anti-phishing software. Once this has been established, businesses will then start to explore setting up network-based security solutions that include network firewalls, encryption and email security. For mature markets such as Singapore, Australia and Japan; they are looking to enhance their enterprise security infrastructure, and will deploy scalable security solutions to meet their current and future business needs. Data leakage prevention and compliance are some of their bigger priorities, and these businesses are also looking for solutions that can help them easily manage their increasing number of assets and resources.”
He adds that the challenges faced by Asian businesses are similar to what Symantec sees occurring across the globe. “There is no longer an impenetrable wall around organizations. People are the new perimeter as companies are being forced to trust their data to third-parties and secure data that is not always in their control. Since the perimeter can't be shut down, security needs to focus on protecting information, not just devices,” he explains.
“To secure and manage information effectively, businesses need to know where their information is, what is sensitive or confidential, who has access to it, who needs access to it and how to make sure it’s protected and available when it’s needed,” he stresses.
So what best practices guidelines does Smith have when it comes to greater security awareness? Here’s his advice:
Have a sound security policy in place
Elaborating, Smith says, “Information security is both a business and a technology issue. Corporate knowledge and data are arguably the most important assets of any organization. Companies are charged to ensure the confidentiality, integrity and availability of their data. These three security objectives answer the questions: "Who sees the data?", "Has the data been corrupted?" and "Can I access the server or data when I need it?
The benefits of establishing a corporate security policy include:
- A fortified IT infrastructure that provides business continuity by ensuring that security vulnerabilities are identified and addressed.
- Reducing corporate risk - information is safely shared within the organization, and with customers, partners, and vendors.
- Meeting industry and government standards and regulations.
- Raising security awareness among company personnel, increasing the likelihood of individual compliance.
Monitor all data usage and prevent confidential data from exiting any network gateway or endpoint
Companies need to look beyond protecting network perimeters from external threats. They should consider implementing solutions that guard against the insider threat, by delivering unified protection of data wherever it is stored or used.
Preventing confidential data from being transmitted outside the enterprise first requires comprehensive monitoring of multiple exit and endpoints. Email, instant messaging, blogs and other electronic channels may be points of weakness. Storage devices such as USB devices, CD/DVDs and iPods also provide easily accessible endpoints to which confidential data can be copied.
Organizations need to accurately discover confidential data wherever it is stored, used, copied or sent - be it file servers, documents and emails, web sites, databases or other data repositories. Once this data is identified, enterprises can then take proactive steps to protect confidential information before it has a chance to be transmitted.
Change employee behavior through awareness and education
The effectiveness of even the best technology and processes can be undermined if employees do not understand the value of their company’s information assets and their role in mitigating risk. With heightened awareness, employees can also become a company’s strongest line of defense and its most valuable security asset. Formal security awareness training programs and clear security policies can help to increase employees’ security awareness.
Smith concludes, “The Symantec Security Awareness Program provides everything a customer needs to successfully and quickly implement a long-term employee security awareness program. Symantec professional consultants and partners are able to provide a wide range of consulting and implementation services to help organizations with additional employee security awareness needs.“
By Shanti Anne Morais
| < Prev | Next > |
|---|
