Clean Desk Policy
Starting with a simple one, a clean workstation limits the risk of proprietary documents and other information from being compromised. Once a month sweeps of work areas to check for loose document habits and cluttered workspaces will help cut down on mishandling of sensitive information.
Any screen left unlocked and unattended reflects a high-risk user behavior and should be recorded as an automatic fail. In addition, if documents are left out in plain sight, or, if documents and devices that should be secured in a locked bin are found unsecured, the incident should be at a minimum recorded, and discussed with the user.
Keep in mind that every cyber awareness program element represents an opportunity to lower cyberattack risk, but also should be an opportunity to make better cyber practices a positive cultural attribute.
When a user passes a clean desk policy, be sure to celebrate this victory with them. Not every celebration has to be expensive or elaborate. Leaving a can of Mountain Dew on the desk of every passed user with a note that reads, “We appreciate everything you Dew” is an excellent way to show your team that you appreciate their adherence to cyber policies and that you recognized their willingness to live by them.
Posters in strategic areas
Illegally printing a random and irrelevant cyber security image from a Google search and taping the paper to all bathroom stall doors does not effectively communicate security objectives, and worse, shows users that management is not entirely committed to a best practice cyber workplace.
A simple way to keep security on the top of each of your user's minds is to place cyber awareness posters in areas where their message will resonate with users. For example, If you want your users to keep common indicators of email-based phishing attacks fresh in their mind while working, a small poster describing common indicators of attack attached to their cubical or workstation would drastically help to achieve this security objective.
Another example, if recognition of travel policies and procedures is a security objective, a poster in the HR and Help Desk office with these policies would improve your ability to ensure expectations are communicated.
Possibly the most effective method of showing users how serious management takes cyber security is to provide on-site classes for new-hires and users with critical credentials such as developers and executives. The best case here is to have a member of management conduct the session. Users absorb and take in a lecture much more willingly when they recognize the speaker as a boss or at least a respected figure.
Having said that, the speaker must be well versed in security strategies. The session is not effective if a user asks a complex but relevant question, and the speaker responds with something along the lines of, “I’m not sure, they just tell me what to tell you.”
Third part subject matter experts can be an excellent substitute as long as management introduces the speaker and subject as an important characteristic of the organization's security objectives. This affirms to the audience that the organization has an expectation of comprehension for each of them.
What better way to ask for a security budget increase then to share with the board that you intend to test their ability to recognize phishing attacks. We realize that is a joke, however, executives, specifically the Chief Executive Officer are by far the largest targeted users in most organizations. As a security leader, if you are not monitoring training and testing executives in your awareness program, you are placing your organization at a much higher risk.
Executives and managers should be expected to complete security training just like everyone else, if not more. After training is complete, a targeted phishing attack tailored personally to each executive should be completed at a minimum of once a year. Executives are users no different than anyone else. The difference is that if an intern falls for an attack, hopefully, the only assets at risk are what they have access to. If a CFO is compromised, how much of the organization’s data is at risk?