Organisations have already recognised that people are valuable – often the most valuable – assets. They also know that people represent risk, because of the possibility of human error, negligence, and even deliberate damage. Cybercriminals are well aware of this too. They often prefer to attack using social engineering tactics to learn user and system access codes: it’s easier and faster than trying to break through layers of hardware and software protection. Many enterprises have therefore invested in programs to increase the awareness of their employees about information security in particular, and the need to protect and back up data in general. Now, it’s time to shift gears and change up for “awareness 2.0”.
The idea behind awareness programs is to get people to change their attitude and their behaviour. For example, employees come to the realisation that organisational data is important and that loss or theft of such data could cause serious prejudice to the organisation. Building on this realisation, they learn about improvements in behaviour, such as maintaining the right levels of confidentiality in emails and using only approved secure data storage. IT workers are exhorted to perform backups of data to secure locations, run vulnerability scans, and test their disaster recovery plans on a regular basis. Awareness by itself is a key step, but it is not sufficient. There is still something missing.
Rather than just depend on employees’ memory and reactions, awareness needs to have a counterpart in process. An organisation should embed safe working and reliable disaster recovery into the way it functions or, to use a business cliché, into its DNA. Good processes about how to handle information, safeguard data, and operate DR solutions keep a company on the rails. Awareness is still essential, because mindless processes will ultimately have the opposite effect and lead to derailment. The two items, awareness and process, working together are necessary now to create and maintain the levels of security that each organisation needs.