Training needs to be done early

Security education and policy teaching for new employees should be taught in the first few weeks of them starting, according to Denis McCauley, director of global technology research at the Economist Intelligence Unit.

McCauley's claim was backed up by Freeform Dynamics managing director Jon Collins, who claimed that many new users do not take corporate security seriously enough, and may undertake simple time and memory-saving exercises such as writing their password on a post-it note.

Collins said: “A PIN password on a phone should be a must for everyone, but you only do it when you are told. This is the principle of 20 per cent of what is done that causes 80 per cent of the risk.”

Rik Ferguson, senior security advisor at Trend Micro, claimed that there was a need to see the point of training from both sides in order to make the process simple but effective. He said: “We need to be more aware of the position of training as the trainer and make employees aware that training is intended to protect themselves from a wider legal, HR or disciplinary fine. It is for their benefit and ours.”

Commenting, Professor Fred Piper of the information security group at Royal Holloway University of London agreed. He said: “People should be told about the security policy as soon as they arrive. They should know what is right but it does not need to be heavy.

“The policy should be explained about not sharing passwords or downloading material, and we need managed personal devices as that is very important, they need to make it plain. Security is like health and safety, it should just be there.”

See original article on scmagazineuk.com